Description
Integer underflow in wc_PKCS7_DecryptOri when handling crafted Other Recipient Info, leading to incorrect length handling during decryption.
Published: 2026-06-25
Score: 1 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an integer underflow that occurs inside the wc_PKCS7_DecryptOri routine when it processes a crafted Other Recipient Information block. This underflow results in an incorrect length calculation, which can cause the routine to read beyond the bounds of the provided buffer during decryption. The potential effect is memory mis‑reading or corruption that may lead to crashes or unpredictable program behavior. The exact conditions for exploitation are not detailed in the CVE data, but it is inferred that an attacker could supply a maliciously formatted PKCS#7 message to trigger the flaw.

Affected Systems

The affected product is wolfSSL provided by wolfSSL. No specific vulnerable version range is listed in the evidence, so any installation that may use the vulnerable wc_PKCS7_DecryptOri function before the described patch could be at risk.

Risk and Exploitability

The CVSS score is 1, indicating a very low severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting that the likelihood of known exploitation is low. The probable attack vector involves sending a crafted PKCS#7 packet to a vulnerable application, but because the effect is primarily a potential crash or corruption, the overall risk remains low under current data.

Generated by OpenCVE AI on June 25, 2026 at 22:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update wolfSSL to a version that incorporates the fix referenced in the pull request at https://github.com/wolfSSL/wolfssl/pull/10203
  • Implement checks to validate the length of Other Recipient Information blocks before invoking decryption routines
  • Monitor application logs for abnormal termination or memory access errors that may indicate exploitation

Generated by OpenCVE AI on June 25, 2026 at 22:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Wolfssl
Wolfssl wolfssl
Vendors & Products Wolfssl
Wolfssl wolfssl

Thu, 25 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description Integer underflow in wc_PKCS7_DecryptOri when handling crafted Other Recipient Info, leading to incorrect length handling during decryption.
Title Integer underflow in wc_PKCS7_DecryptOri handling crafted Other Recipient Info
Weaknesses CWE-191
References
Metrics cvssV4_0

{'score': 1, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/U:Clear'}

Subscriptions

Wolfssl Wolfssl
cve-icon MITRE

Status: PUBLISHED

Assigner: wolfSSL

Published:

Updated: 2026-06-25T20:16:08.416Z

Reserved: 2026-04-20T14:57:53.610Z

Link: CVE-2026-6678

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T01:15:04Z

Weaknesses
  • CWE-191

    Integer Underflow (Wrap or Wraparound)