CVE-2026-5295HIGH 8.0EPSS p7.2%

CVE-2026-5295CVE-2026-5295

Description

A stack buffer overflow exists in wolfSSL's PKCS7 implementation in the wc_PKCS7_DecryptOri() function in wolfcrypt/src/pkcs7.c. When processing a CMS EnvelopedData message containing an OtherRecipientInfo (ORI) recipient, the function copies an ASN.1-parsed OID into a fixed 32-byte stack buffer (oriOID[MAX_OID_SZ]) via XMEMCPY without first validating that the parsed OID length does not exceed MAX_OID_SZ. A crafted CMS EnvelopedData message with an ORI recipient containing an OID longer than 32 bytes triggers a stack buffer overflow. Exploitation requires the library to be built with --enable-pkcs7 (disabled by default) and the application to have registered an ORI decrypt callback via wc_PKCS7_SetOriDecryptCb().

Scoring

CVSS 3.18.0 (HIGH)
VectorCVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS0.18% probability of exploitation · percentile 7.2% · 2026-06-19T12:03:05Z
Published2026-04-09
Last modified2026-04-29

Underlying weaknesses· 1

CWE-121

References

  1. https://github.com/wolfSSL/wolfssl/pull/10116

1

TypeTargetConfidenceTier
WeaknessStack-based Buffer Overflowcwe-1210%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-5187
CVE
CVE-2026-4395
CVE
CVE-2026-2646
CVE
CVE-2026-3548
CVE
CVE-2026-5188
CVE
CVE-2026-3849
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.