VYPR
← All advisories
Medium severity5.3NVD Advisory· Published Mar 19, 2026· Updated Apr 29, 2026

CVE-2026-1005

CVE-2026-1005

Description

Integer underflow in wolfSSL packet sniffer <= 5.8.4 allows an attacker to cause a buffer overflow in the AEAD decryption path by injecting a TLS record shorter than the explicit IV plus authentication tag into traffic inspected by ssl_DecodePacket. The underflow wraps a 16-bit length to a large value that is passed to AEAD decryption routines, causing heap buffer overflow and a crash. An unauthenticated attacker can trigger this remotely via malformed TLS Application Data records.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Integer underflow in wolfSSL packet sniffer <=5.8.4 allows remote unauthenticated attackers to cause a heap buffer overflow via malformed TLS records.

The vulnerability is an integer underflow in the wolfSSL packet sniffer component when processing TLS Application Data records in AEAD decryption paths for algorithms like AES-GCM, AES-CCM, and ARIA-GCM. The issue occurs because ssl_DecodePacket lacks a length check; a record shorter than the required explicit IV and authentication tag causes a 16-bit length underflow, wrapping to a large value that is then passed to AEAD decryption routines, leading to a heap buffer overflow [1].

An unauthenticated attacker can exploit this remotely by injecting malformed TLS records into network traffic that is being monitored by the wolfSSL packet sniffer. No prior authentication or special network position is required; the attack can be triggered through crafted TLS Application Data packets.

Successful exploitation results in a heap buffer overflow, which can cause a denial-of-service (DoS) crash of the sniffing application. The CVSS score of 5.3 confirms a medium severity, with potential for more severe impact if the overflow allows further memory corruption.

The fix was implemented in pull request #9571 by adding a length check for the sniffer's AEAD decryption path. Users should upgrade wolfSSL to version 5.8.5 or later to mitigate this vulnerability [1].

References
  1. Add missing length check in sniffer for AES-GCM/AES-CCM/ARIA-GCM by mattia-moffa · Pull Request #9571 · wolfSSL/wolfssl

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • WolfSSL/Wolfssl2 versions
    cpe:2.3:a:wolfssl:wolfssl:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:wolfssl:wolfssl:*:*:*:*:*:*:*:*range: <=5.8.4
    • (no CPE)range: <=5.8.4

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.