CVE-2026-6331
Analyzed Analyzed - Analysis Complete

HMAC Tag Forgery in wolfSSL

Vulnerability report for CVE-2026-6331, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-06-27

Assigner: wolfSSL Inc.

Description

HMAC zero-length tag forgery in EVP_DigestVerifyFinal, where a zero-length tag could be accepted as valid during HMAC verification. In the OpenSSL-compatibility HMAC verify path the supplied signature length was only checked as not exceeding the MAC length, so a zero-length or otherwise truncated tag could pass verification. The fix requires the supplied tag length to exactly equal the MAC length and rejects a zero-length MAC, so a forged short or empty tag is no longer accepted.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-06-27
Generated
2026-07-16
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-15
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wolfssl wolfssl From 3.15.5 (inc) to 5.9.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an HMAC zero-length tag forgery issue in the EVP_DigestVerifyFinal function. It occurs because the verification process accepted a zero-length or truncated HMAC tag as valid. Specifically, the OpenSSL-compatible HMAC verification path only checked that the supplied signature length did not exceed the MAC length, allowing a zero-length or shortened tag to pass verification incorrectly.

The fix for this vulnerability requires that the supplied tag length exactly matches the MAC length and rejects any zero-length MAC tags, preventing forged short or empty tags from being accepted.

Impact Analysis

This vulnerability can allow an attacker to forge an HMAC tag by providing a zero-length or truncated tag that is incorrectly accepted as valid. This undermines the integrity verification of messages or data protected by HMAC, potentially allowing unauthorized data to be accepted as authentic.

Mitigation Strategies

To mitigate this vulnerability, update the wolfSSL library to a version that includes the fix for CVE-2026-6331. The fix enforces that the supplied HMAC tag length must exactly equal the MAC length and rejects zero-length MACs, preventing forged short or empty tags from passing verification.

Applying the patch from wolfSSL's Pull Request #10192 is recommended, as it hardens the EVP HMAC verification process and prevents zero-length tag forgery.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6331. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart