Description
Bleichenbacher padding oracle in PKCS#7 KTRI decryption. When decrypting PKCS#7 EnvelopedData using RSA PKCS#1 v1.5 key transport, wolfSSL returned distinguishable error codes depending on whether RSA padding validation failed versus whether the decrypted content was malformed. An attacker able to submit crafted EnvelopedData messages and observe error responses could use this as a padding oracle to incrementally recover the encrypted Content Encryption Key (CEK). The fix generates a deterministic pseudo-random fake CEK on padding failure (via HMAC-SHA256) and proceeds with decryption identically, using constant-time operations throughout, so that all failure paths produce the same error regardless of padding validity.
Published: 2026-06-25
Score: 6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A padding oracle vulnerability exists in wolfSSL’s handling of PKCS#7 EnvelopedData when using RSA PKCS#1 v1.5 key transport. The implementation returns distinguishable error codes for padding‑validation failures versus other decryption errors, allowing an attacker to infer the validity of each guessed byte of the encrypted Content Encryption Key (CEK). By repeatedly sending crafted EnvelopedData messages to a system that performs such decryption, the attacker can gradually recover the CEK and subsequently decrypt the protected message contents. The weakness is classified as CWE‑208, information exposure through invalid error messages.

Affected Systems

The affected product is wolfSSL. No specific version information is supplied in the listed data; therefore any installation of wolfSSL that performs PKCS#7 EnvelopedData decryption using RSA PKCS#1 v1.5 may be vulnerable unless patched.

Risk and Exploitability

The CVSS score of 6 indicates medium severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV, so the current public exploit evidence is limited. Nevertheless, the flaw can be exploited remotely if an application processes user‑supplied EnvelopedData and discloses distinct error paths. An attacker who can observe error responses can use the oracle to recover the CEK; the determination of the CVSS score reflects the confidentiality impact and the feasibility of the attack under normal network conditions. The patch mitigates the issue by generating deterministic faux keys and ensuring constant‑time error handling, so the risk diminishes after applying the fix.

Generated by OpenCVE AI on June 25, 2026 at 18:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest wolfSSL release that includes the fix found in pull request 10203, ensuring the library’s decryption logic no longer exposes padding errors.
  • Verify that your application’s higher‑level error handling does not differentiate between padding‑validation failures and other decryption errors—errors should be logged uniformly and presented to end users without revealing internal status.
  • Re‑validate the decryption workflow to confirm consistent constant‑time operations; consider substituting RSA PKCS#1 v1.5 with RSA OAEP for future deployments if feasible.

Generated by OpenCVE AI on June 25, 2026 at 18:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Wolfssl
Wolfssl wolfssl
Vendors & Products Wolfssl
Wolfssl wolfssl

Thu, 25 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description Bleichenbacher padding oracle in PKCS#7 KTRI decryption. When decrypting PKCS#7 EnvelopedData using RSA PKCS#1 v1.5 key transport, wolfSSL returned distinguishable error codes depending on whether RSA padding validation failed versus whether the decrypted content was malformed. An attacker able to submit crafted EnvelopedData messages and observe error responses could use this as a padding oracle to incrementally recover the encrypted Content Encryption Key (CEK). The fix generates a deterministic pseudo-random fake CEK on padding failure (via HMAC-SHA256) and proceeds with decryption identically, using constant-time operations throughout, so that all failure paths produce the same error regardless of padding validity.
Title Bleichenbacher padding oracle in PKCS#7 KTRI RSA PKCS#1 v1.5 decryption
Weaknesses CWE-208
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wolfssl Wolfssl
cve-icon MITRE

Status: PUBLISHED

Assigner: wolfSSL

Published:

Updated: 2026-06-25T17:59:08.922Z

Reserved: 2026-04-14T17:40:51.467Z

Link: CVE-2026-6291

cve-icon Vulnrichment

Updated: 2026-06-25T17:59:05.365Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T22:15:04Z

Weaknesses
  • CWE-208

    Observable Timing Discrepancy