CVE-2026-4159 in wolfSSL
Summary
by MITRE • 03/20/2026
1-byte OOB heap read in wc_PKCS7_DecodeEnvelopedData via zero-length encrypted content. A vulnerability existed in wolfSSL 5.8.4 and earlier, where a 1-byte out-of-bounds heap read in wc_PKCS7_DecodeEnvelopedData could be triggered by a crafted CMS EnvelopedData message with zero-length encrypted content. Note that PKCS7 support is disabled by default.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/05/2026
The vulnerability CVE-2026-4159 represents a critical heap-based out-of-bounds read condition within the wolfSSL cryptographic library version 5.8.4 and earlier. This flaw specifically manifests in the wc_PKCS7_DecodeEnvelopedData function when processing crafted CMS EnvelopedData messages containing zero-length encrypted content. The issue arises from inadequate input validation and memory access bounds checking within the PKCS7 parsing logic, creating a potential avenue for information disclosure or system instability. The vulnerability is particularly concerning because it can be triggered through carefully constructed malicious inputs that exploit the library's handling of edge cases in PKCS7 message structures.
The technical implementation of this vulnerability stems from the library's failure to properly validate the length of encrypted content within CMS EnvelopedData structures before attempting to read from heap-allocated memory regions. When a message contains zero-length encrypted content, the parsing routine attempts to access memory locations beyond the allocated buffer boundaries, resulting in a 1-byte heap read past the allocated memory. This type of out-of-bounds access can potentially expose sensitive information from adjacent memory locations, including cryptographic keys, session data, or other confidential information stored in the heap. The vulnerability is classified under CWE-125 as an out-of-bounds read, which falls within the broader category of memory safety issues that can lead to information disclosure or denial of service conditions.
The operational impact of CVE-2026-4159 extends beyond simple information disclosure, as it can potentially be exploited to facilitate more sophisticated attacks within the context of a compromised system. Attackers who can craft malicious CMS EnvelopedData messages may leverage this vulnerability to extract sensitive data from the heap memory of systems running vulnerable versions of wolfSSL. The default disablement of PKCS7 support in wolfSSL means that exploitation would require explicit enabling of this feature, but systems that do use PKCS7 functionality become immediately vulnerable. This vulnerability aligns with ATT&CK technique T1552.001 for Unsecured Credentials and T1005 for Data from Local System, as it can potentially expose sensitive cryptographic material stored in memory. The attack surface is particularly relevant for applications that utilize wolfSSL for secure email communication, digital signature verification, or secure messaging protocols that rely on PKCS7 enveloped data structures.
Mitigation strategies for CVE-2026-4159 should prioritize immediate patching of affected wolfSSL versions to 5.8.5 or later, which contains the necessary fixes for the heap read vulnerability. Organizations should conduct thorough inventory assessments to identify systems running vulnerable versions of wolfSSL, particularly those that have PKCS7 support explicitly enabled. System administrators should also consider implementing network monitoring to detect potential exploitation attempts through malformed CMS EnvelopedData messages. Additionally, the default disablement of PKCS7 support in wolfSSL serves as a practical defense-in-depth measure, as it reduces the attack surface for systems that do not require this specific functionality. Security teams should monitor for any potential side-channel information leakage that could result from the heap read behavior and implement appropriate access controls to limit the exposure of sensitive data within the application environment. The vulnerability highlights the importance of proper input validation and bounds checking in cryptographic libraries, particularly when handling complex message formats like PKCS7 and CMS structures that require careful parsing of variable-length content.