CVE-2026-5500

Root

Cause

wolfSSL's wc_PKCS7_DecodeAuthEnvelopedData() fails to validate the length of the AES-GCM authentication tag, with no lower bound check. The tag length is taken directly from the message without ensuring it matches the expected 16 bytes. This allows an attacker to truncate the MAC field to a single byte.

Exploitation

An active man-in-the-middle (MITM) attacker can modify a PKCS#7 authenticated-enveloped-data message by shortening the mac field from 16 bytes to 1 byte. No other prerequisites are needed; the attacker must have network position to intercept and modify the message. The receiver will then verify only a 1-byte tag, which has only 256 possible values, making forgery trivial.

Impact

Successful exploitation reduces the security of the AES-GCM authentication from a 128-bit tag (probability of forgery 2⁻¹²⁸) to an 8-bit tag (probability 2⁻⁸). An attacker can forge a valid message with approximately 256 attempts, enabling impersonation or data tampering without detection.

Mitigation

The issue is fixed in wolfSSL via Pull Request #10102 [1], which adds proper validation of the authentication tag length. Users should update to a patched version or apply the corresponding patch. No workarounds are documented; the fix must be integrated to restore tag security.