Description
wc_Blake2bHmacFinal and wc_Blake2sHmacFinal discard the message when the key length exceeds the block size, producing a MAC that is independent of the input. When the supplied key is longer than the BLAKE2 block size the key-hashing branch reinitialized the running hash state, discarding the accumulated message data, so the resulting MAC depended only on the key and not on the message being authenticated. This bug is specific to the HMAC-BLAKE2 APIs that were added in wolfSSL version 5.9.0.
Published: 2026-06-25
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw causes the HMAC-BLAKE2 finalization functions to discard the message when the supplied key is longer than the BLAKE2 block size. As a result, the MAC computed depends solely on the key and not on the authenticated data, allowing an attacker to forge a valid MAC for any message. This undermines the integrity guarantees that HMAC is meant to provide.

Affected Systems

wolfSSL libraries, specifically the HMAC‑BLAKE2 API introduced in version 5.9.0. The issue affects any build that uses these functions with keys exceeding the block size. Versions prior to 5.9.0 are not impacted, while the status of later versions is not specified in the data.

Risk and Exploitability

The CVSS score of 5.9 places this vulnerability in the medium severity range. EPSS data is unavailable and it is not listed in the CISA KEV catalog, indicating no publicly known exploitation at present. Nevertheless, the ability to forge a MAC can lead to severe consequences for applications that rely on HMAC‑BLAKE2 for authentication, and the attack vector is plausible through any channel that allows an attacker to provide a key longer than the block size and invoke the affected functions.

Generated by OpenCVE AI on June 25, 2026 at 22:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade wolfSSL to a patched version that fixes the HMAC‑BLAKE2 key handling flaw.
  • If an immediate upgrade is not possible, avoid using the HMAC‑BLAKE2 APIs with keys longer than the block size; use conforming key lengths or disable that authentication method.
  • Review and modify application code that derives HMAC keys to ensure they never exceed the BLAKE2 block size, and add tests to verify that MACs still depend on the message data.

Generated by OpenCVE AI on June 25, 2026 at 22:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Wolfssl
Wolfssl wolfssl
Vendors & Products Wolfssl
Wolfssl wolfssl

Thu, 25 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Description wc_Blake2bHmacFinal and wc_Blake2sHmacFinal discard the message when the key length exceeds the block size, producing a MAC that is independent of the input. When the supplied key is longer than the BLAKE2 block size the key-hashing branch reinitialized the running hash state, discarding the accumulated message data, so the resulting MAC depended only on the key and not on the message being authenticated. This bug is specific to the HMAC-BLAKE2 APIs that were added in wolfSSL version 5.9.0.
Title HMAC-BLAKE2 final discards message when key length exceeds block size
Weaknesses CWE-354
References
Metrics cvssV4_0

{'score': 5.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wolfssl Wolfssl
cve-icon MITRE

Status: PUBLISHED

Assigner: wolfSSL

Published:

Updated: 2026-06-25T21:18:29.260Z

Reserved: 2026-05-15T22:33:26.158Z

Link: CVE-2026-8720

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T01:15:04Z

Weaknesses
  • CWE-354

    Improper Validation of Integrity Check Value