CVE-2026-0819

A stack buffer overflow vulnerability exists in wolfSSL's PKCS7 SignedData encoding functionality. In wc_PKCS7_BuildSignedAttributes(), when adding custom signed attributes, the code passes an incorrect capacity value (esd->signedAttribsCount) to EncodeAttributes() instead of the remaining available space in the fixed-size signedAttribs[7] array. When an application sets pkcs7->signedAttribsSz to a value greater than MAX_SIGNED_ATTRIBS_SZ (default 7) minus the number of default attributes already added, EncodeAttributes() writes beyond the array bounds, causing stack memory corruption. In WOLFSSL_SMALL_STACK builds, this becomes heap corruption. Exploitation requires an application that allows untrusted input to control the signedAttribs array size when calling wc_PKCS7_EncodeSignedData() or related signing functions.

CVSS v3 7.1 HIGH

7.1^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.2

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/wolfSSL/wolfssl/pull/9630	Issue Tracking Patch

Configurations

Configuration 1 (hide)

cpe:2.3:a:wolfssl:wolfssl:*:*:*:*:*:*:*:*

History

29 Apr 2026, 18:50

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.1
References	~~() https://github.com/wolfSSL/wolfssl/pull/9630 -~~	() https://github.com/wolfSSL/wolfssl/pull/9630 - Issue Tracking, Patch
CPE		cpe:2.3:a:wolfssl:wolfssl::::::::
First Time		Wolfssl Wolfssl wolfssl
Summary		(es) Una vulnerabilidad de desbordamiento de búfer de pila existe en la funcionalidad de codificación de datos firmados (SignedData) PKCS7 de wolfSSL. En wc_PKCS7_BuildSignedAttributes(), al añadir atributos firmados personalizados, el código pasa un valor de capacidad incorrecto (esd->signedAttribsCount) a EncodeAttributes() en lugar del espacio disponible restante en el array de tamaño fijo signedAttribs[7]. Cuando una aplicación establece pkcs7->signedAttribsSz a un valor mayor que MAX_SIGNED_ATTRIBS_SZ (por defecto 7) menos el número de atributos por defecto ya añadidos, EncodeAttributes() escribe más allá de los límites del array, causando corrupción de memoria de pila. En compilaciones WOLFSSL_SMALL_STACK, esto se convierte en corrupción de heap. La explotación requiere una aplicación que permita que la entrada no confiable controle el tamaño del array signedAttribs al llamar a wc_PKCS7_EncodeSignedData() o funciones de firma relacionadas.

19 Mar 2026, 17:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-19 17:16

Updated : 2026-04-29 18:50

NVD link : CVE-2026-0819

Mitre link : CVE-2026-0819

CVE.ORG link : CVE-2026-0819

JSON object : View

Products Affected

wolfssl

wolfssl

CWE

CWE-121

Stack-based Buffer Overflow

CWE-787

Out-of-bounds Write

7.1 /10