Vulnerability Description
A stack buffer overflow exists in wolfSSL's PKCS7 implementation in the wc_PKCS7_DecryptOri() function in wolfcrypt/src/pkcs7.c. When processing a CMS EnvelopedData message containing an OtherRecipientInfo (ORI) recipient, the function copies an ASN.1-parsed OID into a fixed 32-byte stack buffer (oriOID[MAX_OID_SZ]) via XMEMCPY without first validating that the parsed OID length does not exceed MAX_OID_SZ. A crafted CMS EnvelopedData message with an ORI recipient containing an OID longer than 32 bytes triggers a stack buffer overflow. Exploitation requires the library to be built with --enable-pkcs7 (disabled by default) and the application to have registered an ORI decrypt callback via wc_PKCS7_SetOriDecryptCb().
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wolfssl | Wolfssl | < 5.9.1 |
Related Weaknesses (CWE)
References
- https://github.com/wolfSSL/wolfssl/pull/10116Issue TrackingPatch
FAQ
What is CVE-2026-5295?
CVE-2026-5295 is a vulnerability with a CVSS score of 8.0 (HIGH). A stack buffer overflow exists in wolfSSL's PKCS7 implementation in the wc_PKCS7_DecryptOri() function in wolfcrypt/src/pkcs7.c. When processing a CMS EnvelopedData message containing an OtherRecipien...
How severe is CVE-2026-5295?
CVE-2026-5295 has been rated HIGH with a CVSS base score of 8.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-5295?
Check the references section above for vendor advisories and patch information. Affected products include: Wolfssl Wolfssl.