CVE-2026-5477
Received Received - Intake
Integer Overflow in wolfCrypt CMAC Enables Tag Forgery

Publication date: 2026-04-10

Last updated on: 2026-04-27

Assigner: wolfSSL Inc.

Description
An integer overflow existed in the wolfCrypt CMAC implementation, that could be exploited to forge CMAC tags. The function wc_CmacUpdate used the guard `if (cmac->totalSz != 0)` to skip XOR-chaining on the first block (where digest is all-zeros and the XOR is a no-op). However, totalSz is word32 and wraps to zero after 2^28 block flushes (4 GiB), causing the guard to erroneously discard the live CBC-MAC chain state. Any two messages sharing a common suffix beyond the 4 GiB mark then produce identical CMAC tags, enabling a zero-work prefix-substitution forgery. The fix removes the guard, making the XOR unconditional; the no-op property on the first block is preserved because digest is zero-initialized by wc_InitCmac_ex.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-27
Generated
2026-05-06
AI Q&A
2026-04-10
EPSS Evaluated
2026-05-05
NVD
CVE-2026-5477
EUVD
EUVD-2026-21305
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wolfssl wolfssl to 5.9.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is an integer overflow in the wolfCrypt CMAC implementation. Specifically, the function wc_CmacUpdate uses a guard condition to skip XOR-chaining on the first block, assuming the digest is all zeros and XOR is a no-op. However, the totalSz variable is a 32-bit word that wraps to zero after processing 4 GiB of data, causing the guard to mistakenly discard the live CBC-MAC chain state.

As a result, any two messages that share a common suffix beyond the 4 GiB mark produce identical CMAC tags, enabling an attacker to forge CMAC tags by substituting prefixes without any computational work.

The fix involves removing the guard so that XOR is always performed; the no-op property on the first block is preserved because the digest is zero-initialized.


How can this vulnerability impact me? :

This vulnerability allows an attacker to forge CMAC tags for messages that share a common suffix beyond 4 GiB of data. This means an attacker can substitute message prefixes without detection, potentially compromising message integrity and authenticity.

Such forgery can lead to unauthorized data manipulation or injection, undermining the security guarantees provided by CMAC in applications relying on wolfCrypt.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update the wolfCrypt library to a version where the fix has been applied. The fix removes the guard that caused the integer overflow issue in the wc_CmacUpdate function, ensuring the XOR operation is unconditional and preventing CMAC tag forgery.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart