Description
PKCS7_verify signer confusion allows forged signatures, where the signer associated with a signature is not correctly bound, permitting a forged signature to be accepted.
Published: 2026-06-25
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw occurs in the PKCS7_verify routine where the signer identified for a signature is not correctly bound, allowing a forged signature to be accepted as valid. This creates a scenario in which an attacker could fabricate a signed message that the library will treat as authentic, undermining the integrity guarantees of signed data. The weakness is classified as CWE-347 and could lead to unauthorized disclosure or tampering of protected information where signatures are relied upon.

Affected Systems

All deployments of the wolfSSL library that employ PKCS7_verify for signature validation are potentially affected. The specific versions impacted are not enumerated in the advisory, so any installation that has not incorporated the patched code should be considered vulnerable.

Risk and Exploitability

The CVSS score of 5.9 places the vulnerability in the moderate severity range. No EPSS information or KEV listing is available, so the likelihood of exploitation cannot be quantified from the data provided. The attack vector is not explicitly stated, but the flaw involves the verification logic, which would likely require the attacker to provide a crafted signed payload to a system that processes the signature. If such a payload triggers verification, the signature will be incorrectly accepted, enabling further malicious actions.

Generated by OpenCVE AI on June 25, 2026 at 23:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update wolfSSL to the latest version that includes the fix from PR 10203.
  • Rebuild or reinstall the library to ensure the updated code is used in all applications.
  • Audit existing signed documents and certificates for potential compromise after a review of signing logs.

Generated by OpenCVE AI on June 25, 2026 at 23:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4683-1 wolfssl security update
History

Fri, 26 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Wolfssl
Wolfssl wolfssl
Vendors & Products Wolfssl
Wolfssl wolfssl

Thu, 25 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description PKCS7_verify signer confusion allows forged signatures, where the signer associated with a signature is not correctly bound, permitting a forged signature to be accepted.
Title PKCS7_verify signer confusion allows forged signatures to be accepted
Weaknesses CWE-347
References
Metrics cvssV4_0

{'score': 5.9, 'vector': 'CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: wolfSSL

Published:

Updated: 2026-06-26T10:37:09.590Z

Reserved: 2026-04-30T15:18:06.285Z

Link: CVE-2026-7511

cve-icon Vulnrichment

Updated: 2026-06-26T10:37:03.440Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T03:30:06Z

Weaknesses
  • CWE-347

    Improper Verification of Cryptographic Signature