CVE-2026-5392
Received Received - Intake
Heap Out-of-Bounds Read in wolfSSL PKCS7 Parsing

Publication date: 2026-04-10

Last updated on: 2026-04-29

Assigner: wolfSSL Inc.

Description
Heap out-of-bounds read in PKCS7 parsing. A crafted PKCS7 message can trigger an OOB read on the heap. The missing bounds check is in the indefinite-length end-of-content verification loop in PKCS7_VerifySignedData().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5392
EUVD
EUVD-2026-21229
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wolfssl wolfssl to 5.9.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5392 is a security vulnerability in the wolfSSL cryptographic library related to the PKCS7 streaming parser. Specifically, it is a heap out-of-bounds (OOB) read issue that occurs during the parsing of indefinite-length PKCS7 messages. The vulnerability arises because the parser lacks proper bounds checking in the indefinite-length end-of-content verification loop within the PKCS7_VerifySignedData() function.

This missing bounds check allows a crafted PKCS7 message to trigger an out-of-bounds read on the heap, potentially leading to memory corruption or other security risks. The issue was fixed by adding validation to ensure that the parsing process does not exceed buffer limits when handling the end-of-content markers in PKCS7 streaming mode.

Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-5392 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can impact you by allowing a specially crafted PKCS7 message to cause an out-of-bounds read on the heap during cryptographic message parsing in wolfSSL. Such out-of-bounds memory access can lead to memory corruption, which may result in application crashes, denial of service, or potentially enable an attacker to execute arbitrary code or leak sensitive information.

Because the vulnerability affects the integrity of memory handling in a cryptographic library, it can undermine the security and stability of applications relying on wolfSSL for PKCS7 message verification.

Mitigation Strategies

To mitigate the CVE-2026-5392 vulnerability, you should update the wolfSSL library to version 5.9.1 or later, which includes the patch that adds necessary bounds checks to the PKCS7 streaming indefinite-length end-of-content parsing.

This update prevents out-of-bounds reads on the heap by ensuring safe parsing of indefinite-length PKCS7 data streams, thereby mitigating potential memory corruption or security risks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5392. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart