Description
A padding oracle exists in wolfSSL's PKCS7 CBC decryption that could allow an attacker to recover plaintext through repeated decryption queries with modified ciphertext. In previous versions of wolfSSL the interior padding bytes are not validated.
Published: 2026-04-09
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Plaintext Disclosure
Action: Patch
AI Analysis

Impact

This vulnerability is a padding oracle flaw in wolfSSL’s PKCS7 ciphertext‑block chaining decryption routine. An attacker can submit multiple crafted ciphertexts to the vulnerable decryption function and, by observing the decryption responses, recover the original plaintext. The weakness is a classic padding oracle (CWE‑354) that allows plaintext disclosure, the primary impact of this flaw.

Affected Systems

The flaw affects older releases of the wolfSSL library. Any system that incorporates a wolfSSL version prior to the security update that validates interior padding bytes within PKCS7 CBC decryption is susceptible. The vendor listing indicates only “wolfSSL:wolfSSL” as the affected product with no specific version range provided, so the risk applies to all non‑patched instances.

Risk and Exploitability

The CVSS score of 6.3 denotes a moderate severity vulnerability. No EPSS score is available, and the issue is not catalogued in CISA’s KEV list. The most probable attack vector is remote, as an adversary can send arbitrary ciphertexts to the decryption endpoint. With access to the target’s decryption routine, an attacker can iteratively recover secrets or sensitive messages, potentially compromising confidentiality across the affected system.

Generated by OpenCVE AI on April 9, 2026 at 23:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade wolfSSL to the latest version that fixes the PKCS7 CBC padding oracle flaw (see pull request 10088 on the wolfSSL GitHub repository).
  • Verify that the library now performs interior padding byte validation before decryption.

Generated by OpenCVE AI on April 9, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wolfssl:wolfssl:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Tue, 14 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Wolfssl
Wolfssl wolfssl
Vendors & Products Wolfssl
Wolfssl wolfssl

Thu, 09 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description A padding oracle exists in wolfSSL's PKCS7 CBC decryption that could allow an attacker to recover plaintext through repeated decryption queries with modified ciphertext. In previous versions of wolfSSL the interior padding bytes are not validated.
Title PKCS7 CBC Padding Oracle — Plaintext Recovery
Weaknesses CWE-354
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wolfssl Wolfssl
cve-icon MITRE

Status: PUBLISHED

Assigner: wolfSSL

Published:

Updated: 2026-04-14T14:34:40.546Z

Reserved: 2026-04-03T16:06:24.620Z

Link: CVE-2026-5504

cve-icon Vulnrichment

Updated: 2026-04-14T14:34:00.312Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T23:17:01.400

Modified: 2026-04-29T14:06:58.727

Link: CVE-2026-5504

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:27:35Z

Weaknesses