CVE-2026-55961
Undergoing Analysis Undergoing Analysis - In Progress
wolfSSL PKCS#7 Verify Flaw in OpenSSL Compatibility Mode

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: wolfSSL Inc.

Description
wolfSSL_PKCS7_verify() returning success for a degenerate (certs-only) PKCS#7 object that contains no signer. Such an object has empty signerInfos, so the underlying signed-data verification succeeds without authenticating any content. The compatibility-layer verify path now rejects the object when no signer signature has actually been verified, so a PKCS#7 carrying no valid signature is no longer reported as verified. This is enforced regardless of the PKCS7_NOVERIFY flag, which only suppresses signer certificate chain validation and was never intended to waive the requirement that a signature exist. Only affects OpenSSL compatibility builds that call the PKCS7_verify() compatibility API on potentially degenerate PKCS#7 bundles.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-55961
EUVD
EUVD-2026-39491
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wolfssl wolfssl From 3.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in the wolfSSL library's OpenSSL compatibility build, specifically in the function wolfSSL_PKCS7_verify(). The function incorrectly returns success when verifying a degenerate PKCS#7 object that contains no signer information. Such an object has empty signerInfos, so the verification process succeeds without actually authenticating any content or signature.

The issue is that the verification path did not reject PKCS#7 objects that lacked a valid signature, allowing these objects to be reported as verified even though no signature was present or checked. This behavior was fixed by making the verification reject objects with no signer signature, regardless of the PKCS7_NOVERIFY flag, which only suppresses certificate chain validation but does not waive the requirement for a signature.

This vulnerability only affects OpenSSL compatibility builds of wolfSSL that use the PKCS7_verify() compatibility API on potentially degenerate PKCS#7 bundles.

Impact Analysis

This vulnerability can lead to false verification of PKCS#7 signed data objects that actually contain no valid signature. As a result, an attacker could present unsigned or tampered data that appears to be verified and trusted by the application using wolfSSL's OpenSSL compatibility layer.

This undermines the integrity and authenticity guarantees normally provided by PKCS#7 signature verification, potentially allowing unauthorized or malicious content to be accepted as valid.

Compliance Impact

The vulnerability in wolfSSL's PKCS7_verify() function allowed degenerate PKCS#7 objects with no signer to be incorrectly verified as valid, potentially leading to unauthenticated content being accepted as verified.

This flaw could undermine the integrity and authenticity guarantees required by compliance standards such as GDPR and HIPAA, which mandate strong data protection and authentication mechanisms to protect sensitive information.

By allowing unauthenticated data to be accepted as verified, the vulnerability could lead to violations of these regulations' requirements for data integrity and authenticity, increasing the risk of unauthorized data manipulation or disclosure.

The fix enforces that PKCS#7 objects without valid signatures are no longer reported as verified, thereby restoring the expected security guarantees and helping maintain compliance with such standards.

Mitigation Strategies

To mitigate CVE-2026-55961, you should update the wolfSSL library to version 5.9.2 or later, which includes security hardening and correctness fixes addressing this vulnerability.

This update enforces stricter signature verification in PKCS7, preventing degenerate PKCS#7 objects without valid signatures from being reported as verified.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55961. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart