CVE-2026-5295
Received Received - Intake
Stack Buffer Overflow in wolfSSL PKCS7 ORI Decryption

Publication date: 2026-04-09

Last updated on: 2026-04-29

Assigner: wolfSSL Inc.

Description
A stack buffer overflow exists in wolfSSL's PKCS7 implementation in the wc_PKCS7_DecryptOri() function in wolfcrypt/src/pkcs7.c. When processing a CMS EnvelopedData message containing an OtherRecipientInfo (ORI) recipient, the function copies an ASN.1-parsed OID into a fixed 32-byte stack buffer (oriOID[MAX_OID_SZ]) via XMEMCPY without first validating that the parsed OID length does not exceed MAX_OID_SZ. A crafted CMS EnvelopedData message with an ORI recipient containing an OID longer than 32 bytes triggers a stack buffer overflow. Exploitation requires the library to be built with --enable-pkcs7 (disabled by default) and the application to have registered an ORI decrypt callback via wc_PKCS7_SetOriDecryptCb().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5295
EUVD
EUVD-2026-21228
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wolfssl wolfssl to 5.9.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a stack buffer overflow in wolfSSL's PKCS7 implementation, specifically in the wc_PKCS7_DecryptOri() function. When processing a CMS EnvelopedData message that contains an OtherRecipientInfo (ORI) recipient, the function copies an ASN.1-parsed Object Identifier (OID) into a fixed-size 32-byte stack buffer without checking if the OID length exceeds this buffer size. If a crafted message contains an OID longer than 32 bytes, it causes a stack buffer overflow.

Exploitation requires that the wolfSSL library is built with the PKCS7 feature enabled (which is disabled by default) and that the application has registered an ORI decrypt callback.

Impact Analysis

The stack buffer overflow can lead to memory corruption, which may allow an attacker to execute arbitrary code, cause a denial of service (crash), or compromise the security of the affected system.

However, exploitation requires specific conditions: the library must be built with PKCS7 enabled and the application must have registered an ORI decrypt callback, which may limit the exposure.

Mitigation Strategies

To mitigate this vulnerability, ensure that the wolfSSL library is not built with the --enable-pkcs7 option enabled, as this feature is disabled by default.

Additionally, avoid registering an ORI decrypt callback via wc_PKCS7_SetOriDecryptCb() in your application, since exploitation requires this callback to be registered.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5295. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart