Description
The PKCS#7 decode path ignores the caller-supplied output buffer size (outputSz), allowing decoded content to be written past the bounds of the provided buffer. This affects wolfSSL 5.9.0 and earlier and was fixed in the 5.9.1 release.
Published: 2026-06-25
Score: 1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows the PKCS#7 decode routine to ignore the caller‑supplied buffer size, causing decoded content to be written beyond the bounds of the provided buffer. This buffer overflow is identified as CWE-120 and CWE-787, which can potentially lead to memory corruption and arbitrary code execution if an attacker can supply crafted PKCS#7 data.

Affected Systems

wolfSSL libraries at version 5.9.0 and earlier are affected. The issue was remediated in the 5.9.1 release, so any installation using a pre‑5.9.1 build is at risk.

Risk and Exploitability

The CVSS score of 1 indicates a low severity impact; there is no EPSS score available, and the vulnerability is not listed in CISA’s KEV catalog. Attackers would need to provide malicious PKCS#7 data to the vulnerable decode path, which is typically an application‑level operation. Exploitation requires the ability to influence the data being decoded, so the attack vector is inferred to be application‑controlled input.

Generated by OpenCVE AI on June 25, 2026 at 22:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update wolfSSL to version 5.9.1 or later where the buffer size check is restored.
  • If an upgrade is not feasible, limit the use of PKCS#7 decoding to trusted data only and validate input lengths before invoking the library.
  • Deploy isolation or sandboxing around components that handle PKCS#7 data to contain potential memory corruption effects.

Generated by OpenCVE AI on June 25, 2026 at 22:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Wolfssl
Wolfssl wolfssl
Vendors & Products Wolfssl
Wolfssl wolfssl

Thu, 25 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description The PKCS#7 decode path ignores the caller-supplied output buffer size (outputSz), allowing decoded content to be written past the bounds of the provided buffer. This affects wolfSSL 5.9.0 and earlier and was fixed in the 5.9.1 release.
Title PKCS#7 decode ignores caller output buffer size, writing past buffer bounds
Weaknesses CWE-120
CWE-787
References
Metrics cvssV4_0

{'score': 1, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/U:Clear'}

Subscriptions

Wolfssl Wolfssl
cve-icon MITRE

Status: PUBLISHED

Assigner: wolfSSL

Published:

Updated: 2026-06-26T13:14:09.177Z

Reserved: 2026-04-20T15:00:32.607Z

Link: CVE-2026-6681

cve-icon Vulnrichment

Updated: 2026-06-26T13:14:05.919Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T02:00:17Z

Weaknesses
  • CWE-120

    Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

  • CWE-787

    Out-of-bounds Write