The flaw occurs in the PKCS7_verify routine where the signer identified for a signature is not correctly bound, allowing a forged signature to be accepted as valid. This creates a scenario in which an attacker could fabricate a signed message that the library will treat as authentic, undermining the integrity guarantees of signed data. The weakness is classified as CWE-347 and could lead to unauthorized disclosure or tampering of protected information where signatures are relied upon.

All deployments of the wolfSSL library that employ PKCS7_verify for signature validation are potentially affected. The specific versions impacted are not enumerated in the advisory, so any installation that has not incorporated the patched code should be considered vulnerable.

The CVSS score of 5.9 places the vulnerability in the moderate severity range. No EPSS information or KEV listing is available, so the likelihood of exploitation cannot be quantified from the data provided. The attack vector is not explicitly stated, but the flaw involves the verification logic, which would likely require the attacker to provide a crafted signed payload to a system that processes the signature. If such a payload triggers verification, the signature will be incorrectly accepted, enabling further malicious actions.