CVE-2026-6678
A integer underflow vulnerability exists in the PKCS#7 OtherRecipientInfo functionality of wolfSSL (version(s): 5.9.1). A specially crafted malformed ASN.1 record can lead to a heap buffer overflow. An attacker can arbitrary code execution to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
wolfSSL (version(s): 5.9.1)
wolfSSL - https://www.wolfssl.com/
7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-191 - Integer Underflow (Wrap or Wraparound)
wolfSSL is a lightweight, portable C-language SSL/TLS library targeted at IoT, embedded and RTOS environments due to its small size and high performance. It supports the latest security standards, including TLS 1.3 and DTLS 1.2, while maintaining a footprint significantly smaller than traditional libraries like OpenSSL.
Within its wolfcrypt package, wolfSSL supports a variety of crypto algorithms, including PKCS#7. While parsing the Other Recipient Info (ORI) portion of a PKCS#7 blob, wolfSSL fails to sufficiently validate the values used to calculate the ORI value’s size field, causing an integer underflow under certain conditions.
In the code block shown below, seqSz is defined at [1] before being assigned to the decoded length value of the attacker-controlled value pkiMsg in a call to GetLength at [2]. seqSz is not modified again until it is used at [3] to calculate the size of the ORI.
/* Decrypt ASN.1 OtherRecipientInfo (ori), as defined by:
*
* OtherRecipientInfo ::= SEQUENCE {
* oriType OBJECT IDENTIFIER,
* oriValue ANY DEFINED BY oriType }
*
* pkcs7 - pointer to initialized PKCS7 structure
* pkiMsg - pointer to encoded CMS bundle
* pkiMsgSz - size of pkiMsg, bytes
* idx - [IN/OUT] pointer to index into pkiMsg
* decryptedKey - [OUT] output buf for decrypted content encryption key
* decryptedKeySz - [IN/OUT] size of buffer, size of decrypted key
* recipFound - [OUT] 1 if recipient has been found, 0 if not
*
* Return 0 on success, negative upon error.
*/
static int wc_PKCS7_DecryptOri(wc_PKCS7* pkcs7, byte* in, word32 inSz,
word32* idx, byte* decryptedKey,
word32* decryptedKeySz, int* recipFound)
{
int ret, seqSz, oriOIDSz; [1]
word32 oriValueSz, tmpIdx;
byte* oriValue;
byte oriOID[MAX_OID_SZ];
...
pkiMsgSz = (pkcs7->stream->length > 0)? pkcs7->stream->length: inSz;
#endif
/* get OtherRecipientInfo sequence length */
if (GetLength(pkiMsg, idx, &seqSz, pkiMsgSz) < 0) [2]
return ASN_PARSE_E;
tmpIdx = *idx;
/* remove and store oriType OBJECT IDENTIFIER */
if (GetASNObjectId(pkiMsg, idx, &oriOIDSz, pkiMsgSz) != 0)
return ASN_PARSE_E;
if (oriOIDSz <= 0 || (word32)oriOIDSz > MAX_OID_SZ) {
WOLFSSL_MSG("ORI oriType OID too large");
return ASN_PARSE_E;
}
XMEMCPY(oriOID, pkiMsg + *idx, (word32)oriOIDSz);
*idx += (word32)oriOIDSz;
/* get oriValue, increment idx */
oriValue = pkiMsg + *idx;
oriValueSz = (word32)seqSz - (*idx - tmpIdx); [3]
*idx += oriValueSz; [4]
/* pass oriOID and oriValue to user callback, expect back
decryptedKey and size */
ret = pkcs7->oriDecryptCb(pkcs7, oriOID, (word32)oriOIDSz, oriValue,
oriValueSz, decryptedKey, decryptedKeySz,
pkcs7->oriDecryptCtx); [5]
If the attacker-controlled pkiMsg at [3] is smaller than the (*idx - tmpIdx) calculation, an integer underflow occurs causing oriValueSz to be extremely large. This value is then subsequently used to modify the idx value at [4] and used in a user-defined callback at [5]. We can see this in the gdb output shown below:
Breakpoint at wc_PKCS7_DecryptOri, pkcs7.c:11527
(gdb) print seqSz
$1 = 4
(gdb) print *idx
$2 = 31
(gdb) print tmpIdx
$3 = 24
(gdb) print (word32)seqSz - (*idx - tmpIdx)
$4 = 4294967293
(gdb) next
11528 *idx += oriValueSz;
(gdb) print oriValueSz
$5 = 4294967293
The exact consequence of exploitation of this vulnerability will vary by implementation causing anything from unexpected behavior to a process crash, but in all cases the user callback will end up operating on unexpected data.
Vendor Link: https://nvd.nist.gov/vuln/detail/CVE-2026-6678
Vendor Notes: The new release, wolfSSL v5.9.2, release June 23, 2026.
2026-04-29 - Initial Vendor Contact
2026-04-29 - Vendor Disclosure
2026-06-23 - Vendor Patch Release
2026-07-01 - Public Release
Ankur Tyagi of Cisco Talos