Description
wolfSSL's wc_PKCS7_DecodeAuthEnvelopedData() does not properly sanitize the AES-GCM authentication tag length received and has no lower bounds check. A man-in-the-middle can therefore truncate the mac field from 16 bytes to 1 byte, reducing the tag check from 2⁻¹²⁸ to 2⁻⁸.
Published: 2026-04-10
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass via AES‑GCM tag truncation
Action: Immediate Patch
AI Analysis

Impact

The flaw resides in wc_PKCS7_DecodeAuthEnvelopedData, which omits a lower bound check on the AES‑GCM authentication tag length. An attacker can truncate the MAC field from the proper 16 bytes to 1 byte, reducing the tag verification probability from 2⁻¹²⁸ to 2⁻⁸ and allowing the encrypted data to be processed without authenticating it. This constitutes a bypass of the integrity check and enables unauthorized disclosure of encrypted secrets.

Affected Systems

wolfSSL software that implements the PKCS#7 envelope decoding routine is affected. The specific version is not listed, so any release that includes the vulnerable wc_PKCS7_DecodeAuthEnvelopedData implementation may be impacted.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity. Although exact EPSS data is unavailable, the vulnerability involves a known denial of verification and is not listed in CISA's KEV catalogue, suggesting it is not yet widely exploited. The likely attack vector is a man‑in‑the‑middle positioned on the channel carrying PKCS#7 enveloped data, capable of truncating the MAC field. Because the bug removes a critical integrity check, successful exploitation would give an attacker unauthorized access to the decrypted payload.

Generated by OpenCVE AI on April 10, 2026 at 04:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest wolfSSL patch that addresses the tag length check, as referenced in PR 10102
  • If an update is not yet possible, avoid accepting PKCS#7 enveloped data from untrusted sources or implement a manual tag length verification routine before decryption
  • Monitor traffic and logs for anomalies that could indicate an attempt to truncate authentication tags

Generated by OpenCVE AI on April 10, 2026 at 04:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wolfssl:wolfssl:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Fri, 10 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Wolfssl
Wolfssl wolfssl
Vendors & Products Wolfssl
Wolfssl wolfssl

Fri, 10 Apr 2026 03:45:00 +0000

Type Values Removed Values Added
Description wolfSSL's wc_PKCS7_DecodeAuthEnvelopedData() does not properly sanitize the AES-GCM authentication tag length received and has no lower bounds check. A man-in-the-middle can therefore truncate the mac field from 16 bytes to 1 byte, reducing the tag check from 2⁻¹²⁸ to 2⁻⁸.
Title Improper Validation of AES-GCM Authentication Tag Length in PKCS#7 Envelope Allows Authentication Bypass
Weaknesses CWE-20
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wolfssl Wolfssl
cve-icon MITRE

Status: PUBLISHED

Assigner: wolfSSL

Published:

Updated: 2026-04-10T13:42:28.091Z

Reserved: 2026-04-03T15:33:05.734Z

Link: CVE-2026-5500

cve-icon Vulnrichment

Updated: 2026-04-10T13:42:24.461Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T04:17:17.080

Modified: 2026-04-27T18:15:22.950

Link: CVE-2026-5500

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:26:55Z

Weaknesses