CVE-2026-1005
Received Received - Intake
Integer Underflow in wolfSSL Packet Sniffer Causes Remote Buffer Overflow

Publication date: 2026-03-19

Last updated on: 2026-04-29

Assigner: wolfSSL Inc.

Description
Integer underflow in wolfSSL packet sniffer <= 5.8.4 allows an attacker to cause a buffer overflow in the AEAD decryption path by injecting a TLS record shorter than the explicit IV plus authentication tag into traffic inspected by ssl_DecodePacket. The underflow wraps a 16-bit length to a large value that is passed to AEAD decryption routines, causing heap buffer overflow and a crash. An unauthenticated attacker can trigger this remotely via malformed TLS Application Data records.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1005
EUVD
EUVD-2026-13133
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wolfssl wolfssl to 5.8.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-191 The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-1005 is an integer underflow vulnerability in the wolfSSL packet sniffer (versions up to 5.8.4). It occurs because the code processes malformed TLS packets without properly checking their length before subtracting certain constants related to encryption parameters. This causes the length to wrap around to a very large value, leading to a heap buffer overflow in the AEAD decryption routines. An attacker can exploit this by sending a specially crafted TLS record that is shorter than expected, triggering the overflow and potentially crashing the application.

Impact Analysis

This vulnerability can cause a heap buffer overflow and crash in the wolfSSL packet sniffer component. An unauthenticated attacker can remotely trigger this by sending malformed TLS Application Data records. The impact includes potential denial of service due to crashes and possibly other undefined behavior resulting from the buffer overflow, which could be leveraged for further attacks depending on the context.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should apply the patch that adds the necessary length check to the wolfSSL packet sniffer implementation. This fix prevents the integer underflow and subsequent buffer overflow by validating packet lengths before processing.

Ensure that your wolfSSL version is updated to a version including the fix merged on December 23, 2025, or later. Additionally, verify that the sniffer is enabled and ARIA support is configured as per the tested patch conditions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1005. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart