CVE-2026-5392
Heap Out-of-Bounds Read in wolfSSL PKCS7 Parsing
Publication date: 2026-04-10
Last updated on: 2026-04-29
Assigner: wolfSSL Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wolfssl | wolfssl | to 5.9.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5392 is a security vulnerability in the wolfSSL cryptographic library related to the PKCS7 streaming parser. Specifically, it is a heap out-of-bounds (OOB) read issue that occurs during the parsing of indefinite-length PKCS7 messages. The vulnerability arises because the parser lacks proper bounds checking in the indefinite-length end-of-content verification loop within the PKCS7_VerifySignedData() function.
This missing bounds check allows a crafted PKCS7 message to trigger an out-of-bounds read on the heap, potentially leading to memory corruption or other security risks. The issue was fixed by adding validation to ensure that the parsing process does not exceed buffer limits when handling the end-of-content markers in PKCS7 streaming mode.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing a specially crafted PKCS7 message to cause an out-of-bounds read on the heap during cryptographic message parsing in wolfSSL. Such out-of-bounds memory access can lead to memory corruption, which may result in application crashes, denial of service, or potentially enable an attacker to execute arbitrary code or leak sensitive information.
Because the vulnerability affects the integrity of memory handling in a cryptographic library, it can undermine the security and stability of applications relying on wolfSSL for PKCS7 message verification.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-5392 vulnerability, you should update the wolfSSL library to version 5.9.1 or later, which includes the patch that adds necessary bounds checks to the PKCS7 streaming indefinite-length end-of-content parsing.
This update prevents out-of-bounds reads on the heap by ensuring safe parsing of indefinite-length PKCS7 data streams, thereby mitigating potential memory corruption or security risks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of the CVE-2026-5392 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.