CVE-2026-0819

A stack buffer overflow vulnerability exists in wolfSSL's PKCS7 SignedData encoding functionality. In wc_PKCS7_BuildSignedAttributes(), when adding custom signed attributes, the code passes an incorrect capacity value (esd->signedAttribsCount) to EncodeAttributes() instead of the remaining available space in the fixed-size signedAttribs[7] array. When an application sets pkcs7->signedAttribsSz to a value greater than MAX_SIGNED_ATTRIBS_SZ (default 7) minus the number of default attributes already added, EncodeAttributes() writes beyond the array bounds, causing stack memory corruption. In WOLFSSL_SMALL_STACK builds, this becomes heap corruption. Exploitation requires an application that allows untrusted input to control the signedAttribs array size when calling wc_PKCS7_EncodeSignedData() or related signing functions.

CVSS

No CVSS.

References

Link	Resource
https://github.com/wolfSSL/wolfssl/pull/9630

Configurations

No configuration.

History

No history.

Information

Published : 2026-03-19 17:16

Updated : 2026-03-20 13:39

NVD link : CVE-2026-0819

Mitre link : CVE-2026-0819

CVE.ORG link : CVE-2026-0819

JSON object : View

Products Affected

No product.

CWE

CWE-121

Stack-based Buffer Overflow

CWE-787

Out-of-bounds Write

{"id": "CVE-2026-0819", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "facts@wolfssl.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.2, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-19T17:16:21.657", "references": [{"url": "https://github.com/wolfSSL/wolfssl/pull/9630", "source": "facts@wolfssl.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "facts@wolfssl.com", "description": [{"lang": "en", "value": "CWE-121"}, {"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "A stack buffer overflow vulnerability exists in wolfSSL's PKCS7 SignedData encoding functionality. In wc_PKCS7_BuildSignedAttributes(), when adding custom signed attributes, the code passes an incorrect capacity value (esd->signedAttribsCount) to EncodeAttributes() instead of the remaining available space in the fixed-size signedAttribs[7] array. When an application sets pkcs7->signedAttribsSz to a value greater than MAX_SIGNED_ATTRIBS_SZ (default 7) minus the number of default attributes already added, EncodeAttributes() writes beyond the array bounds, causing stack memory corruption. In WOLFSSL_SMALL_STACK builds, this becomes heap corruption. Exploitation requires an application that allows untrusted input to control the signedAttribs array size when calling wc_PKCS7_EncodeSignedData() or related signing functions."}, {"lang": "es", "value": "Una vulnerabilidad de desbordamiento de b\u00fafer de pila existe en la funcionalidad de codificaci\u00f3n de datos firmados (SignedData) PKCS7 de wolfSSL. En wc_PKCS7_BuildSignedAttributes(), al a\u00f1adir atributos firmados personalizados, el c\u00f3digo pasa un valor de capacidad incorrecto (esd->signedAttribsCount) a EncodeAttributes() en lugar del espacio disponible restante en el array de tama\u00f1o fijo signedAttribs[7]. Cuando una aplicaci\u00f3n establece pkcs7->signedAttribsSz a un valor mayor que MAX_SIGNED_ATTRIBS_SZ (por defecto 7) menos el n\u00famero de atributos por defecto ya a\u00f1adidos, EncodeAttributes() escribe m\u00e1s all\u00e1 de los l\u00edmites del array, causando corrupci\u00f3n de memoria de pila. En compilaciones WOLFSSL_SMALL_STACK, esto se convierte en corrupci\u00f3n de heap. La explotaci\u00f3n requiere una aplicaci\u00f3n que permita que la entrada no confiable controle el tama\u00f1o del array signedAttribs al llamar a wc_PKCS7_EncodeSignedData() o funciones de firma relacionadas."}], "lastModified": "2026-03-20T13:39:46.493", "sourceIdentifier": "facts@wolfssl.com"}