CVE-2026-5500

EPSS 0.08%
Veröffentlicht 10.04.2026 04:17:17
Zuletzt bearbeitet 27.04.2026 18:15:22
Quelle facts@wolfssl.com
CVE-Watchlists
Login
Unerledigt
Login

Improper Validation of AES-GCM Authentication Tag Length in PKCS#7 Envelope Allows Authentication Bypass

wolfSSL's wc_PKCS7_DecodeAuthEnvelopedData() does not properly sanitize the AES-GCM authentication tag length received and has no lower bounds check. A man-in-the-middle can therefore truncate the mac field from 16 bytes to 1 byte, reducing the tag check from 2⁻¹²⁸ to 2⁻⁸.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Wolfssl ≫ Wolfssl Version <= 5.9.0

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.08%	0.235

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
facts@wolfssl.com	8.7	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://github.com/wolfSSL/wolfssl/pull/10102

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2026-5500

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-5500

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-5500

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-5500