Description
HMAC zero-length tag forgery in EVP_DigestVerifyFinal, where a zero-length tag could be accepted as valid during HMAC verification. In the OpenSSL-compatibility HMAC verify path the supplied signature length was only checked as not exceeding the MAC length, so a zero-length or otherwise truncated tag could pass verification. The fix requires the supplied tag length to exactly equal the MAC length and rejects a zero-length MAC, so a forged short or empty tag is no longer accepted.
Published: 2026-06-25
Score: 2.1 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to forge a cryptographic signature by submitting a zero-length or otherwise truncated HMAC tag that is erroneously accepted as valid during EVP_DigestVerifyFinal verification. As a result, an attacker could have a message falsely authenticated, effectively bypassing integrity checks that rely on HMAC verification. This weaknesses is identified as CWE-347, indicating a failure to properly enforce cryptographic checks. The impact is limited to the integrity of data protected by this verification path, and does not expose confidentiality directly.

Affected Systems

The affected product is wolfSSL, as noted by the CNA vendor/product name. No specific versions are listed in the CNA data, so it is necessary to review the release notes of wolfSSL or consult the vendor for the relevant range affected by the bug.

Risk and Exploitability

The CVSS score of 2.1 indicates a very low overall severity. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting a low likelihood of widespread exploitation at the present time. The most probable attack vector is the provision of a forged signature or HMAC tag to the application. Based on the description, it is inferred that the flaw could be exploited remotely or locally by any entity that can supply input to the HMAC verification routine. However, exploitation requires the attacker to control or influence the signature data, which may limit the attack surface.

Generated by OpenCVE AI on June 25, 2026 at 22:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a wolfSSL release that includes the fix for zero-length HMAC tag validation
  • Verify that the HMAC verification routine enforces an exact tag length equal to the MAC length before performing the cryptographic check
  • If an upgrade cannot be performed immediately, implement an application-layer check to reject signatures shorter than the expected MAC length
  • Consider disabling or removing any code paths that accept zero-length or truncated HMAC tags if they are not required for legitimate operations

Generated by OpenCVE AI on June 25, 2026 at 22:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Description HMAC zero-length tag forgery in EVP_DigestVerifyFinal, where a zero-length tag could be accepted as valid during HMAC verification. In the OpenSSL-compatibility HMAC verify path the supplied signature length was only checked as not exceeding the MAC length, so a zero-length or otherwise truncated tag could pass verification. The fix requires the supplied tag length to exactly equal the MAC length and rejects a zero-length MAC, so a forged short or empty tag is no longer accepted.
Title HMAC zero-length tag forgery in EVP_DigestVerifyFinal
Weaknesses CWE-347
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: wolfSSL

Published:

Updated: 2026-06-25T20:56:25.876Z

Reserved: 2026-04-15T03:08:31.649Z

Link: CVE-2026-6331

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T22:30:15Z

Weaknesses
  • CWE-347

    Improper Verification of Cryptographic Signature