CVE-2026-8720
Analyzed Analyzed - Analysis Complete

HMAC-BLAKE2 Key-Length Handling Flaw in wolfSSL

Vulnerability report for CVE-2026-8720, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-06-27

Assigner: wolfSSL Inc.

Description

wc_Blake2bHmacFinal and wc_Blake2sHmacFinal discard the message when the key length exceeds the block size, producing a MAC that is independent of the input. When the supplied key is longer than the BLAKE2 block size the key-hashing branch reinitialized the running hash state, discarding the accumulated message data, so the resulting MAC depended only on the key and not on the message being authenticated. This bug is specific to the HMAC-BLAKE2 APIs that were added in wolfSSL version 5.9.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-06-27
Generated
2026-07-16
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-15
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wolfssl wolfssl From 5.9.0 (inc) to 5.9.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-354 The product does not validate or incorrectly validates the integrity check values or "checksums" of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability in wolfSSL's HMAC-BLAKE2 implementation causes incorrect MAC computations when keys exceed the block size, potentially leading to cryptographic failures. Such failures can undermine data integrity and authentication mechanisms, which are critical for compliance with standards like GDPR and HIPAA that require strong data protection and integrity controls.

By fixing the vulnerability through proper zero-padding, using separate hash states, and adding regression tests, wolfSSL ensures compliance with the HMAC specification, thereby supporting adherence to security requirements mandated by these regulations.

Detection Guidance

This vulnerability relates to improper handling of oversized keys in the wolfSSL library's HMAC-BLAKE2 implementations. Detection involves verifying if your system or application uses wolfSSL version 5.9.0 or later with the affected HMAC-BLAKE2 APIs and whether oversized keys are being used in HMAC computations.

Since the issue is internal to the cryptographic library's handling of keys, direct network detection commands are not provided. However, you can check the wolfSSL version installed on your system using commands like:

  • For Linux systems: `wolfssl-config --version` or checking the package manager, e.g., `dpkg -l | grep wolfssl` or `rpm -qa | grep wolfssl`.
  • For applications, review logs or debug output to identify usage of HMAC-BLAKE2 with keys longer than the block size.

Additionally, you may perform code audits or runtime tracing to detect calls to `wc_Blake2bHmacFinal` or `wc_Blake2sHmacFinal` with oversized keys.

Mitigation Strategies

To mitigate this vulnerability, immediately update the wolfSSL library to a version that includes the fix for CVE-2026-8720.

The fix involves zero-initializing the block-sized key buffer, using a separate temporary BLAKE2 state for hashing oversized keys, and regression tests to ensure correct behavior.

If updating is not immediately possible, avoid using keys longer than the BLAKE2 block size with the HMAC-BLAKE2 APIs to prevent triggering the vulnerability.

Review your cryptographic key management policies to ensure keys conform to recommended sizes.

Executive Summary

This vulnerability occurs in the wc_Blake2bHmacFinal and wc_Blake2sHmacFinal functions of wolfSSL's HMAC-BLAKE2 APIs introduced in version 5.9.0. When the key length exceeds the BLAKE2 block size, these functions discard the message data during processing, causing the resulting Message Authentication Code (MAC) to depend only on the key and not on the actual message being authenticated.

Impact Analysis

Because the MAC produced is independent of the input message when the key is too long, an attacker could exploit this to bypass message authentication. This undermines the integrity guarantees of the HMAC, potentially allowing unauthorized modification or spoofing of messages without detection.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8720. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart