CVE-2026-5504

Source
https://cve.org/CVERecord?id=CVE-2026-5504
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-5504.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-5504
Downstream
Published
2026-04-09T22:33:42.179Z
Modified
2026-07-16T03:48:40.562380880Z
Severity
  • 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
PKCS7 CBC Padding Oracle — Plaintext Recovery
Details

A padding oracle exists in wolfSSL's PKCS7 CBC decryption that could allow an attacker to recover plaintext through repeated decryption queries with modified ciphertext. In previous versions of wolfSSL the interior padding bytes are not validated.

Database specific
{
    "cwe_ids": [
        "CWE-354"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/5xxx/CVE-2026-5504.json",
    "cna_assigner": "wolfSSL"
}
References

Affected packages

Git / github.com/wolfssl/wolfssl

Affected ranges

Type
GIT
Repo
https://github.com/wolfssl/wolfssl
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "cpe": "cpe:2.3:a:wolfssl:wolfssl:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "5.9.0"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ]
}

Affected versions

Other
WCv4-rng-stable
l
list
wolfEntropy1
wolfEntropy2d
WCv5.*
WCv5.0-RC10
WCv5.0-RC11
WCv5.0-RC12
WCv5.0-RC9
v0.*
v0.5
v1.*
v1.8.8.0
v1.9.0
v2.*
v2.0.2
v2.0.3
v2.0.6
v2.0.8
v2.0rc1
v2.0rc2
v2.0rc2b
v2.0rc3
v2.4.2
v2.4.6
v2.4.7
v2.6.0
v2.6.2
v2.7.0
v2.7.2
v2.8.0
v2.8.2
v2.8.3
v2.8.4
v2.8.5
v2.8.5a
v2.8.6
v2.9.0
v2.9.1
v2.9.2
v2.9.4
v3.*
v3.10.0-stable
v3.10.0a
v3.10.2-stable
v3.10.3
v3.11.0-stable
v3.11.1-tls13-beta
v3.12.0-stable
v3.12.2-stable
v3.13.0-stable
v3.13.2
v3.13.3
v3.14.0-stable
v3.14.0a
v3.14.0b
v3.14.2
v3.14.4
v3.15.0-stable
v3.15.3-stable
v3.15.5-stable
v3.15.5a
v3.15.6
v3.15.7-stable
v3.2.0
v3.2.4
v3.2.6
v3.3.0
v3.3.3
v3.4.0
v3.4.2
v3.4.6
v3.6.8
v3.6.9
v3.7.0
v3.7.1
v3.7.3
v3.8.0
v3.9.0
v3.9.1
v3.9.10-stable
v3.9.10b
v3.9.6
v3.9.6w
v3.9.8
v4.*
v4.0.0-stable
v4.1.0-stable
v4.2.0-stable
v4.2.0c
v4.3.0-stable
v4.4.0-stable
v4.5.0-stable
v4.6.0-stable
v4.7.0-stable
v4.7.1r
v4.8.0-stable
v5.*
v5.0.0-stable
v5.1.0-stable
v5.2.0-stable
v5.2.1
v5.3.0-stable
v5.4.0-stable
v5.5.0-stable
v5.5.1-stable
v5.5.2-stable
v5.5.3-stable
v5.5.4-stable
v5.6.0-stable
v5.6.2-stable
v5.6.3-stable
v5.6.4-stable
v5.6.6-stable
v5.7.0-stable
v5.7.2-stable
v5.7.4-stable
v5.7.6-stable
v5.8.0-stable
v5.8.2-stable
v5.8.4-stable
v5.9.0-stable

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-5504.json"