CVE-2026-5504 | THREATINT

Description

A padding oracle exists in wolfSSL's PKCS7 CBC decryption that could allow an attacker to recover plaintext through repeated decryption queries with modified ciphertext. In previous versions of wolfSSL the interior padding bytes are not validated.

PUBLISHED Reserved 2026-04-03 | Published 2026-04-09 | Updated 2026-04-14 | Assigner wolfSSL

MEDIUM: 6.3CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-354 Improper validation of integrity check value

Product status

Default status

unaffected

Any version

affected

Credits

Sunwoo Lee of Korea Institute of Energy Technology (KENTECH) for the report. finder

Woohyun Choi of Korea Institute of Energy Technology (KENTECH) for the report. finder

Seunghyun Yoon of Korea Institute of Energy Technology (KENTECH) for the report. finder

References

github.com/wolfSSL/wolfssl/pull/10088

cve.org (CVE-2026-5504)

nvd.nist.gov (CVE-2026-5504)

Download JSON