Medium severity5.3NVD Advisory· Published Apr 9, 2026· Updated Apr 29, 2026

CVE-2026-5504

Description

A padding oracle exists in wolfSSL's PKCS7 CBC decryption that could allow an attacker to recover plaintext through repeated decryption queries with modified ciphertext. In previous versions of wolfSSL the interior padding bytes are not validated.

Affected products

WolfSSL/Wolfssl
cpe:2.3:a:wolfssl:wolfssl:*:*:*:*:*:*:*:*
Range: <=5.9.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/wolfSSL/wolfssl/pull/10088nvdIssue TrackingPatch

News mentions

No linked articles in our index yet.

Severity

MediumCVSS v3.1

5.3/ 10

CVSS v46.3

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: None
User interaction: None
Scope: Unchanged
Confidentiality: Low
Integrity: None
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

Probability of exploitation in the next 30 days.

0.02%

VYPR risk score

Composite of severity, exploitation, and reach.

0.34medium

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-354
Improper Validation of Integrity Check Value

CVE ID

CVE-2026-5504

Credits

SY
Seunghyun Yoon of Korea Institute of Energy Technology (KENTECH) for the report.
finder
SL
Sunwoo Lee of Korea Institute of Energy Technology (KENTECH) for the report.
finder
WC
Woohyun Choi of Korea Institute of Energy Technology (KENTECH) for the report.
finder