CVE-2026-0819 (GCVE-0-2026-0819)
Vulnerability from cvelistv5 – Published: 2026-03-19 16:54 – Updated: 2026-03-19 17:19
VLAI
Title
Stack buffer overflow in PKCS7 SignedData encoding with custom signed attributes
Summary
A stack buffer overflow vulnerability exists in wolfSSL's PKCS7 SignedData encoding functionality. In wc_PKCS7_BuildSignedAttributes(), when adding custom signed attributes, the code passes an incorrect capacity value (esd->signedAttribsCount) to EncodeAttributes() instead of the remaining available space in the fixed-size signedAttribs[7] array. When an application sets pkcs7->signedAttribsSz to a value greater than MAX_SIGNED_ATTRIBS_SZ (default 7) minus the number of default attributes already added, EncodeAttributes() writes beyond the array bounds, causing stack memory corruption. In WOLFSSL_SMALL_STACK builds, this becomes heap corruption. Exploitation requires an application that allows untrusted input to control the signedAttribs array size when calling wc_PKCS7_EncodeSignedData() or related signing functions.
Severity
Assigner
References
1 reference
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0819",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-19T17:19:26.928139Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T17:19:37.134Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"wolfcrypt PKCS7"
],
"product": "wolfSSL",
"programFiles": [
"wolfcrypt/src/pkcs7.c"
],
"programRoutines": [
{
"name": "wc_PKCS7_EncodeSignedData()"
}
],
"repo": "https://github.com/wolfSSL/wolfssl",
"vendor": "wolfSSL",
"versions": [
{
"lessThan": "5.9.0",
"status": "affected",
"version": "5.5.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Maor Caplan"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA stack buffer overflow vulnerability exists in wolfSSL\u0027s PKCS7 SignedData encoding functionality. In wc_PKCS7_BuildSignedAttributes(), when adding custom signed attributes, the code passes an incorrect capacity value (esd-\u0026gt;signedAttribsCount) to EncodeAttributes() instead of the remaining available space in the fixed-size signedAttribs[7] array. When an application sets pkcs7-\u0026gt;signedAttribsSz to a value greater than MAX_SIGNED_ATTRIBS_SZ (default 7) minus the number of default attributes already added, EncodeAttributes() writes beyond the array bounds, causing stack memory corruption. In WOLFSSL_SMALL_STACK builds, this becomes heap corruption. Exploitation requires an application that allows untrusted input to control the signedAttribs array size when calling wc_PKCS7_EncodeSignedData() or related signing functions.\u003c/p\u003e"
}
],
"value": "A stack buffer overflow vulnerability exists in wolfSSL\u0027s PKCS7 SignedData encoding functionality. In wc_PKCS7_BuildSignedAttributes(), when adding custom signed attributes, the code passes an incorrect capacity value (esd-\u003esignedAttribsCount) to EncodeAttributes() instead of the remaining available space in the fixed-size signedAttribs[7] array. When an application sets pkcs7-\u003esignedAttribsSz to a value greater than MAX_SIGNED_ATTRIBS_SZ (default 7) minus the number of default attributes already added, EncodeAttributes() writes beyond the array bounds, causing stack memory corruption. In WOLFSSL_SMALL_STACK builds, this becomes heap corruption. Exploitation requires an application that allows untrusted input to control the signedAttribs array size when calling wc_PKCS7_EncodeSignedData() or related signing functions."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Overflow Buffers"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 2.2,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121: Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787: Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T16:54:33.442Z",
"orgId": "50d2cd11-d01a-48ed-9441-5bfce9d63b27",
"shortName": "wolfSSL"
},
"references": [
{
"name": "GitHub Pull Request",
"url": "https://github.com/wolfSSL/wolfssl/pull/9630"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate to the patched version of wolfSSL. The fix adds proper bounds checking in wc_PKCS7_BuildSignedAttributes() to validate that the number of custom signed attributes does not exceed the available space in the fixed-size signedAttribs array, returning BUFFER_E if the limit is exceeded.\u003c/p\u003e"
}
],
"value": "Update to the patched version of wolfSSL. The fix adds proper bounds checking in wc_PKCS7_BuildSignedAttributes() to validate that the number of custom signed attributes does not exceed the available space in the fixed-size signedAttribs array, returning BUFFER_E if the limit is exceeded."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stack buffer overflow in PKCS7 SignedData encoding with custom signed attributes",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eEnsure that applications using wolfSSL PKCS7 signing functionality validate and limit the number of custom signed attributes (signedAttribsSz) to no more than MAX_SIGNED_ATTRIBS_SZ (default 7) minus the number of default signed attributes enabled. Do not allow untrusted input to control the signedAttribs array or its size.\u003c/p\u003e"
}
],
"value": "Ensure that applications using wolfSSL PKCS7 signing functionality validate and limit the number of custom signed attributes (signedAttribsSz) to no more than MAX_SIGNED_ATTRIBS_SZ (default 7) minus the number of default signed attributes enabled. Do not allow untrusted input to control the signedAttribs array or its size."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "50d2cd11-d01a-48ed-9441-5bfce9d63b27",
"assignerShortName": "wolfSSL",
"cveId": "CVE-2026-0819",
"datePublished": "2026-03-19T16:54:33.442Z",
"dateReserved": "2026-01-09T17:04:43.340Z",
"dateUpdated": "2026-03-19T17:19:37.134Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-0819",
"date": "2026-05-27",
"epss": "0.00021",
"percentile": "0.06164"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-0819\",\"sourceIdentifier\":\"facts@wolfssl.com\",\"published\":\"2026-03-19T17:16:21.657\",\"lastModified\":\"2026-04-29T18:50:05.933\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A stack buffer overflow vulnerability exists in wolfSSL\u0027s PKCS7 SignedData encoding functionality. In wc_PKCS7_BuildSignedAttributes(), when adding custom signed attributes, the code passes an incorrect capacity value (esd-\u003esignedAttribsCount) to EncodeAttributes() instead of the remaining available space in the fixed-size signedAttribs[7] array. When an application sets pkcs7-\u003esignedAttribsSz to a value greater than MAX_SIGNED_ATTRIBS_SZ (default 7) minus the number of default attributes already added, EncodeAttributes() writes beyond the array bounds, causing stack memory corruption. In WOLFSSL_SMALL_STACK builds, this becomes heap corruption. Exploitation requires an application that allows untrusted input to control the signedAttribs array size when calling wc_PKCS7_EncodeSignedData() or related signing functions.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad de desbordamiento de b\u00fafer de pila existe en la funcionalidad de codificaci\u00f3n de datos firmados (SignedData) PKCS7 de wolfSSL. En wc_PKCS7_BuildSignedAttributes(), al a\u00f1adir atributos firmados personalizados, el c\u00f3digo pasa un valor de capacidad incorrecto (esd-\u0026gt;signedAttribsCount) a EncodeAttributes() en lugar del espacio disponible restante en el array de tama\u00f1o fijo signedAttribs[7]. Cuando una aplicaci\u00f3n establece pkcs7-\u0026gt;signedAttribsSz a un valor mayor que MAX_SIGNED_ATTRIBS_SZ (por defecto 7) menos el n\u00famero de atributos por defecto ya a\u00f1adidos, EncodeAttributes() escribe m\u00e1s all\u00e1 de los l\u00edmites del array, causando corrupci\u00f3n de memoria de pila. En compilaciones WOLFSSL_SMALL_STACK, esto se convierte en corrupci\u00f3n de heap. La explotaci\u00f3n requiere una aplicaci\u00f3n que permita que la entrada no confiable controle el tama\u00f1o del array signedAttribs al llamar a wc_PKCS7_EncodeSignedData() o funciones de firma relacionadas.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"facts@wolfssl.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":2.2,\"baseSeverity\":\"LOW\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"UNREPORTED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"facts@wolfssl.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-121\"},{\"lang\":\"en\",\"value\":\"CWE-787\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wolfssl:wolfssl:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.5.0\",\"versionEndExcluding\":\"5.9.0\",\"matchCriteriaId\":\"CC77D5AA-8CFE-43F8-8FD9-E003646125E0\"}]}]}],\"references\":[{\"url\":\"https://github.com/wolfSSL/wolfssl/pull/9630\",\"source\":\"facts@wolfssl.com\",\"tags\":[\"Issue Tracking\",\"Patch\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-0819\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-19T17:19:26.928139Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-19T17:19:29.637Z\"}}], \"cna\": {\"title\": \"Stack buffer overflow in PKCS7 SignedData encoding with custom signed attributes\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Maor Caplan\"}], \"impacts\": [{\"descriptions\": [{\"lang\": \"en\", \"value\": \"Overflow Buffers\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 2.2, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"LOCAL\", \"baseSeverity\": \"LOW\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U\", \"exploitMaturity\": \"UNREPORTED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/wolfSSL/wolfssl\", \"vendor\": \"wolfSSL\", \"modules\": [\"wolfcrypt PKCS7\"], \"product\": \"wolfSSL\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.5.0\", \"lessThan\": \"5.9.0\", \"versionType\": \"semver\"}], \"programFiles\": [\"wolfcrypt/src/pkcs7.c\"], \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"wc_PKCS7_EncodeSignedData()\"}]}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Update to the patched version of wolfSSL. The fix adds proper bounds checking in wc_PKCS7_BuildSignedAttributes() to validate that the number of custom signed attributes does not exceed the available space in the fixed-size signedAttribs array, returning BUFFER_E if the limit is exceeded.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eUpdate to the patched version of wolfSSL. The fix adds proper bounds checking in wc_PKCS7_BuildSignedAttributes() to validate that the number of custom signed attributes does not exceed the available space in the fixed-size signedAttribs array, returning BUFFER_E if the limit is exceeded.\u003c/p\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://github.com/wolfSSL/wolfssl/pull/9630\", \"name\": \"GitHub Pull Request\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Ensure that applications using wolfSSL PKCS7 signing functionality validate and limit the number of custom signed attributes (signedAttribsSz) to no more than MAX_SIGNED_ATTRIBS_SZ (default 7) minus the number of default signed attributes enabled. Do not allow untrusted input to control the signedAttribs array or its size.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eEnsure that applications using wolfSSL PKCS7 signing functionality validate and limit the number of custom signed attributes (signedAttribsSz) to no more than MAX_SIGNED_ATTRIBS_SZ (default 7) minus the number of default signed attributes enabled. Do not allow untrusted input to control the signedAttribs array or its size.\u003c/p\u003e\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 0.5.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A stack buffer overflow vulnerability exists in wolfSSL\u0027s PKCS7 SignedData encoding functionality. In wc_PKCS7_BuildSignedAttributes(), when adding custom signed attributes, the code passes an incorrect capacity value (esd-\u003esignedAttribsCount) to EncodeAttributes() instead of the remaining available space in the fixed-size signedAttribs[7] array. When an application sets pkcs7-\u003esignedAttribsSz to a value greater than MAX_SIGNED_ATTRIBS_SZ (default 7) minus the number of default attributes already added, EncodeAttributes() writes beyond the array bounds, causing stack memory corruption. In WOLFSSL_SMALL_STACK builds, this becomes heap corruption. Exploitation requires an application that allows untrusted input to control the signedAttribs array size when calling wc_PKCS7_EncodeSignedData() or related signing functions.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eA stack buffer overflow vulnerability exists in wolfSSL\u0027s PKCS7 SignedData encoding functionality. In wc_PKCS7_BuildSignedAttributes(), when adding custom signed attributes, the code passes an incorrect capacity value (esd-\u0026gt;signedAttribsCount) to EncodeAttributes() instead of the remaining available space in the fixed-size signedAttribs[7] array. When an application sets pkcs7-\u0026gt;signedAttribsSz to a value greater than MAX_SIGNED_ATTRIBS_SZ (default 7) minus the number of default attributes already added, EncodeAttributes() writes beyond the array bounds, causing stack memory corruption. In WOLFSSL_SMALL_STACK builds, this becomes heap corruption. Exploitation requires an application that allows untrusted input to control the signedAttribs array size when calling wc_PKCS7_EncodeSignedData() or related signing functions.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-121\", \"description\": \"CWE-121: Stack-based Buffer Overflow\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-787\", \"description\": \"CWE-787: Out-of-bounds Write\"}]}], \"providerMetadata\": {\"orgId\": \"50d2cd11-d01a-48ed-9441-5bfce9d63b27\", \"shortName\": \"wolfSSL\", \"dateUpdated\": \"2026-03-19T16:54:33.442Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-0819\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-19T17:19:37.134Z\", \"dateReserved\": \"2026-01-09T17:04:43.340Z\", \"assignerOrgId\": \"50d2cd11-d01a-48ed-9441-5bfce9d63b27\", \"datePublished\": \"2026-03-19T16:54:33.442Z\", \"assignerShortName\": \"wolfSSL\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…