Talos Vulnerability Report

TALOS-2026-2408

WolfSSL wolfSSL PKCS#7 OtherRecipientInfo integer underflow vulnerability

July 1, 2026
CVE Number

CVE-2026-6678

Summary

A integer underflow vulnerability exists in the PKCS#7 OtherRecipientInfo functionality of wolfSSL (version(s): 5.9.1). A specially crafted malformed ASN.1 record can lead to a heap buffer overflow. An attacker can arbitrary code execution to trigger this vulnerability.

Confirmed Vulnerable Versions

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

wolfSSL (version(s): 5.9.1)

Product URLs

wolfSSL - https://www.wolfssl.com/

CVSSv3 Score

7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-191 - Integer Underflow (Wrap or Wraparound)

Details

wolfSSL is a lightweight, portable C-language SSL/TLS library targeted at IoT, embedded and RTOS environments due to its small size and high performance. It supports the latest security standards, including TLS 1.3 and DTLS 1.2, while maintaining a footprint significantly smaller than traditional libraries like OpenSSL.

Within its wolfcrypt package, wolfSSL supports a variety of crypto algorithms, including PKCS#7. While parsing the Other Recipient Info (ORI) portion of a PKCS#7 blob, wolfSSL fails to sufficiently validate the values used to calculate the ORI value’s size field, causing an integer underflow under certain conditions.

In the code block shown below, seqSz is defined at [1] before being assigned to the decoded length value of the attacker-controlled value pkiMsg in a call to GetLength at [2]. seqSz is not modified again until it is used at [3] to calculate the size of the ORI.

/* Decrypt ASN.1 OtherRecipientInfo (ori), as defined by:
 *
 *   OtherRecipientInfo ::= SEQUENCE {
 *     oriType OBJECT IDENTIFIER,
 *     oriValue ANY DEFINED BY oriType }
 *
 * pkcs7          - pointer to initialized PKCS7 structure
 * pkiMsg         - pointer to encoded CMS bundle
 * pkiMsgSz       - size of pkiMsg, bytes
 * idx            - [IN/OUT] pointer to index into pkiMsg
 * decryptedKey   - [OUT] output buf for decrypted content encryption key
 * decryptedKeySz - [IN/OUT] size of buffer, size of decrypted key
 * recipFound     - [OUT] 1 if recipient has been found, 0 if not
 *
 * Return 0 on success, negative upon error.
 */
static int wc_PKCS7_DecryptOri(wc_PKCS7* pkcs7, byte* in, word32 inSz,
                               word32* idx, byte* decryptedKey,
                               word32* decryptedKeySz, int* recipFound)
{
    int ret, seqSz, oriOIDSz;                                                                    [1]
    word32 oriValueSz, tmpIdx;
    byte* oriValue;
    byte oriOID[MAX_OID_SZ];
...
            pkiMsgSz = (pkcs7->stream->length > 0)? pkcs7->stream->length: inSz;
        #endif
            /* get OtherRecipientInfo sequence length */
            if (GetLength(pkiMsg, idx, &seqSz, pkiMsgSz) < 0)                                    [2]
                return ASN_PARSE_E;

            tmpIdx = *idx;

            /* remove and store oriType OBJECT IDENTIFIER */
            if (GetASNObjectId(pkiMsg, idx, &oriOIDSz, pkiMsgSz) != 0)
                return ASN_PARSE_E;

            if (oriOIDSz <= 0 || (word32)oriOIDSz > MAX_OID_SZ) {
                WOLFSSL_MSG("ORI oriType OID too large");
                return ASN_PARSE_E;
            }

            XMEMCPY(oriOID, pkiMsg + *idx, (word32)oriOIDSz);
            *idx += (word32)oriOIDSz;

            /* get oriValue, increment idx */
            oriValue = pkiMsg + *idx;
            oriValueSz = (word32)seqSz - (*idx - tmpIdx);                                        [3]
            *idx += oriValueSz;                                                                  [4]

            /* pass oriOID and oriValue to user callback, expect back
               decryptedKey and size */
            ret = pkcs7->oriDecryptCb(pkcs7, oriOID, (word32)oriOIDSz, oriValue,
                                      oriValueSz, decryptedKey, decryptedKeySz,
                                      pkcs7->oriDecryptCtx);                                     [5]

If the attacker-controlled pkiMsg at [3] is smaller than the (*idx - tmpIdx) calculation, an integer underflow occurs causing oriValueSz to be extremely large. This value is then subsequently used to modify the idx value at [4] and used in a user-defined callback at [5]. We can see this in the gdb output shown below:

Breakpoint at wc_PKCS7_DecryptOri, pkcs7.c:11527
(gdb) print seqSz
$1 = 4
(gdb) print *idx
$2 = 31
(gdb) print tmpIdx
$3 = 24
(gdb) print (word32)seqSz - (*idx - tmpIdx)
$4 = 4294967293
(gdb) next
11528  *idx += oriValueSz;
(gdb) print oriValueSz
$5 = 4294967293

The exact consequence of exploitation of this vulnerability will vary by implementation causing anything from unexpected behavior to a process crash, but in all cases the user callback will end up operating on unexpected data.

Vendor Response (CVE-2026-6678)

Vendor Link: https://nvd.nist.gov/vuln/detail/CVE-2026-6678

Vendor Notes: The new release, wolfSSL v5.9.2, release June 23, 2026.

Timeline

2026-04-29 - Initial Vendor Contact
2026-04-29 - Vendor Disclosure
2026-06-23 - Vendor Patch Release
2026-07-01 - Public Release

Credit

Ankur Tyagi of Cisco Talos