Description
1-byte OOB heap read in wc_PKCS7_DecodeEnvelopedData via zero-length encrypted content. A vulnerability existed in wolfSSL 5.8.4 and earlier, where a 1-byte out-of-bounds heap read in wc_PKCS7_DecodeEnvelopedData could be triggered by a crafted CMS EnvelopedData message with zero-length encrypted content. Note that PKCS7 support is disabled by default.
Published: 2026-03-19
Score: 1.2 Low
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure via 1-byte heap read
Action: Patch
AI Analysis

Impact

A crafted CMS EnvelopedData message containing zero‑length encrypted content triggers a 1‑byte out‑of‑bounds heap read in the wc_PKCS7_DecodeEnvelopedData function of the wolfSSL library. The read occurs because the function does not properly check bounds when processing the encrypted content. The resulting unwanted memory access may leak a single byte of data from the heap, potentially revealing sensitive information. This weakness is identified as CWE‑125 (Out‑of‑Bounds Read).

Affected Systems

wolfSSL versions 5.8.4 and earlier contain the flaw. The vulnerability is present in builds where PKCS7 support is enabled, while the default configuration disables PKCS7. No other vendors or products are reported as affected.

Risk and Exploitability

The CVSS score of 1.2 indicates low severity, and there is no EPSS score or KEV listing, suggesting limited exploitation evidence. Exploitation requires an attacker to forge a CMS EnvelopedData message with zero‑length content, which would be processed by an application using the wolfSSL library. The primary risk is the disclosure of a small amount of memory data; the impact is therefore modest. The attack vector is likely local or via an application that accepts CMS data, and the exploitability is low due to the precise input required and the limited read length.

Generated by OpenCVE AI on March 19, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade wolfSSL to a version newer than 5.8.4, such as 5.8.5 or later
  • If an upgrade is not immediately possible, verify that PKCS7 support remains disabled in the configuration
  • Configure network or application-layer controls to reject unexpected CMS EnvelopedData messages with zero‑length content
  • Keep the wolfSSL library monitored for vendor releases and apply patches as soon as they become available

Generated by OpenCVE AI on March 19, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Wolfssl
Wolfssl wolfssl
Vendors & Products Wolfssl
Wolfssl wolfssl

Thu, 19 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
Description 1-byte OOB heap read in wc_PKCS7_DecodeEnvelopedData via zero-length encrypted content. A vulnerability existed in wolfSSL 5.8.4 and earlier, where a 1-byte out-of-bounds heap read in wc_PKCS7_DecodeEnvelopedData could be triggered by a crafted CMS EnvelopedData message with zero-length encrypted content. Note that PKCS7 support is disabled by default.
Title wc_PKCS7_DecodeEnvelopedData 1 byte out-of-bounds read
Weaknesses CWE-125
References
Metrics cvssV4_0

{'score': 1.2, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Green'}

Subscriptions

Wolfssl Wolfssl
cve-icon MITRE

Status: PUBLISHED

Assigner: wolfSSL

Published:

Updated: 2026-03-20T16:29:05.925Z

Reserved: 2026-03-13T20:37:44.765Z

Link: CVE-2026-4159

cve-icon Vulnrichment

Updated: 2026-03-20T16:29:01.336Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-19T22:16:42.993

Modified: 2026-03-20T13:37:50.737

Link: CVE-2026-4159

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T11:05:59Z

Weaknesses