CVE-2026-5477 - Vulnerability Details

- Prefix-substitution forgery via integer overflow in wolfCrypt CMAC

Description

An integer overflow existed in the wolfCrypt CMAC implementation, that could be exploited to forge CMAC tags. The function wc_CmacUpdate used the guard `if (cmac->totalSz != 0)` to skip XOR-chaining on the first block (where digest is all-zeros and the XOR is a no-op). However, totalSz is word32 and wraps to zero after 2^28 block flushes (4 GiB), causing the guard to erroneously discard the live CBC-MAC chain state. Any two messages sharing a common suffix beyond the 4 GiB mark then produce identical CMAC tags, enabling a zero-work prefix-substitution forgery. The fix removes the guard, making the XOR unconditional; the no-op property on the first block is preserved because digest is zero-initialized by wc_InitCmac_ex.

Published: 2026-04-10

Score: 8.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An integer overflow in the wolfCrypt CMAC implementation causes the XOR‑chaining guard to be skipped after 4 GiB of processed data. This produces identical CMAC tags for messages that share a common suffix beyond that boundary, allowing an attacker to forge a CMAC for a malicious message with a different prefix. The flaw is an integer overflow (CWE‑190) that enables bypass of authentication and can be used to manipulate or impersonate verified data.

Affected Systems

The vulnerability is present in the wolfSSL wolfCrypt CMAC component. Affected vendor is wolfSSL. No specific version information is provided in the advisory; the issue exists in all releases that include the flawed wc_CmacUpdate guard.

Risk and Exploitability

With a CVSS score of 8.2 the vulnerability is high severity. EPSS information is not available and it is not listed in the CISA KEV catalog. Exploitation requires processing over four gigabytes of data to wrap the 32‑bit counter, so it is likely relevant to applications handling very large streams or files. When exploited, an attacker can forge CMAC tags and authenticate malicious messages, compromising data integrity and potentially enabling further attacks.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

wolfSSL

unaffected

Version	Status	Constraints
`0`	affected	≤ 5.9.0

No data.

Vendor Product Confidence Versions

Wolfssl

100%

Version	Status	Scheme	Platform
`[0,5.9.0]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade wolfSSL to a version that includes the CMAC update fix (see pull request 10102).

Generated by OpenCVE AI on April 10, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00042.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/wolfSSL/wolfssl/pull/10102

History

Fri, 10 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 10 Apr 2026 09:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wolfssl Wolfssl wolfssl
Vendors & Products		Wolfssl Wolfssl wolfssl

Fri, 10 Apr 2026 05:45:00 +0000

Type	Values Removed	Values Added
Description		An integer overflow existed in the wolfCrypt CMAC implementation, that could be exploited to forge CMAC tags. The function wc_CmacUpdate used the guard `if (cmac->totalSz != 0)` to skip XOR-chaining on the first block (where digest is all-zeros and the XOR is a no-op). However, totalSz is word32 and wraps to zero after 2^28 block flushes (4 GiB), causing the guard to erroneously discard the live CBC-MAC chain state. Any two messages sharing a common suffix beyond the 4 GiB mark then produce identical CMAC tags, enabling a zero-work prefix-substitution forgery. The fix removes the guard, making the XOR unconditional; the no-op property on the first block is preserved because digest is zero-initialized by wc_InitCmac_ex.
Title		Prefix-substitution forgery via integer overflow in wolfCrypt CMAC
Weaknesses		CWE-190
References		https://github.com/wolfSSL/wolfssl/pull/10102
Metrics		cvssV4_0 `{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}`

Subscriptions

Wolfssl Wolfssl

MITRE

Status: PUBLISHED

Assigner: wolfSSL

Published: 2026-04-10T05:06:22.884Z

Updated: 2026-04-10T14:04:00.411Z

Reserved: 2026-04-03T07:59:59.388Z

Link: CVE-2026-5477

Vulnrichment

Updated: 2026-04-10T14:03:57.033Z

NVD

Status : Received

Published: 2026-04-10T06:16:05.243

Modified: 2026-04-10T06:16:05.243

Link: CVE-2026-5477

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-10T09:26:43Z

Weaknesses

CWE-190

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object