{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0819", "assignerOrgId": "50d2cd11-d01a-48ed-9441-5bfce9d63b27", "state": "PUBLISHED", "assignerShortName": "wolfSSL", "dateReserved": "2026-01-09T17:04:43.340Z", "datePublished": "2026-03-19T16:54:33.442Z", "dateUpdated": "2026-03-19T17:19:37.134Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "50d2cd11-d01a-48ed-9441-5bfce9d63b27", "shortName": "wolfSSL", "dateUpdated": "2026-03-19T16:54:33.442Z"}, "title": "Stack buffer overflow in PKCS7 SignedData encoding with custom signed attributes", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-121", "description": "CWE-121: Stack-based Buffer Overflow", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "cweId": "CWE-787", "description": "CWE-787: Out-of-bounds Write", "type": "CWE"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "Overflow Buffers"}]}], "affected": [{"vendor": "wolfSSL", "product": "wolfSSL", "repo": "https://github.com/wolfSSL/wolfssl", "modules": ["wolfcrypt PKCS7"], "programFiles": ["wolfcrypt/src/pkcs7.c"], "programRoutines": [{"name": "wc_PKCS7_EncodeSignedData()"}], "versions": [{"status": "affected", "version": "5.5.0", "lessThan": "5.9.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A stack buffer overflow vulnerability exists in wolfSSL's PKCS7 SignedData encoding functionality. In wc_PKCS7_BuildSignedAttributes(), when adding custom signed attributes, the code passes an incorrect capacity value (esd->signedAttribsCount) to EncodeAttributes() instead of the remaining available space in the fixed-size signedAttribs[7] array. When an application sets pkcs7->signedAttribsSz to a value greater than MAX_SIGNED_ATTRIBS_SZ (default 7) minus the number of default attributes already added, EncodeAttributes() writes beyond the array bounds, causing stack memory corruption. In WOLFSSL_SMALL_STACK builds, this becomes heap corruption. Exploitation requires an application that allows untrusted input to control the signedAttribs array size when calling wc_PKCS7_EncodeSignedData() or related signing functions.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>A stack buffer overflow vulnerability exists in wolfSSL's PKCS7 SignedData encoding functionality. In wc_PKCS7_BuildSignedAttributes(), when adding custom signed attributes, the code passes an incorrect capacity value (esd-&gt;signedAttribsCount) to EncodeAttributes() instead of the remaining available space in the fixed-size signedAttribs[7] array. When an application sets pkcs7-&gt;signedAttribsSz to a value greater than MAX_SIGNED_ATTRIBS_SZ (default 7) minus the number of default attributes already added, EncodeAttributes() writes beyond the array bounds, causing stack memory corruption. In WOLFSSL_SMALL_STACK builds, this becomes heap corruption. Exploitation requires an application that allows untrusted input to control the signedAttribs array size when calling wc_PKCS7_EncodeSignedData() or related signing functions.</p>"}]}], "references": [{"url": "https://github.com/wolfSSL/wolfssl/pull/9630", "name": "GitHub Pull Request"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "LOW", "baseScore": 2.2, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"}}], "workarounds": [{"lang": "en", "value": "Ensure that applications using wolfSSL PKCS7 signing functionality validate and limit the number of custom signed attributes (signedAttribsSz) to no more than MAX_SIGNED_ATTRIBS_SZ (default 7) minus the number of default signed attributes enabled. Do not allow untrusted input to control the signedAttribs array or its size.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Ensure that applications using wolfSSL PKCS7 signing functionality validate and limit the number of custom signed attributes (signedAttribsSz) to no more than MAX_SIGNED_ATTRIBS_SZ (default 7) minus the number of default signed attributes enabled. Do not allow untrusted input to control the signedAttribs array or its size.</p>"}]}], "solutions": [{"lang": "en", "value": "Update to the patched version of wolfSSL. The fix adds proper bounds checking in wc_PKCS7_BuildSignedAttributes() to validate that the number of custom signed attributes does not exceed the available space in the fixed-size signedAttribs array, returning BUFFER_E if the limit is exceeded.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Update to the patched version of wolfSSL. The fix adds proper bounds checking in wc_PKCS7_BuildSignedAttributes() to validate that the number of custom signed attributes does not exceed the available space in the fixed-size signedAttribs array, returning BUFFER_E if the limit is exceeded.</p>"}]}], "credits": [{"lang": "en", "value": "Maor Caplan", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T17:19:26.928139Z", "id": "CVE-2026-0819", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T17:19:37.134Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0819", "assignerOrgId": "50d2cd11-d01a-48ed-9441-5bfce9d63b27", "state": "PUBLISHED", "assignerShortName": "wolfSSL", "dateReserved": "2026-01-09T17:04:43.340Z", "datePublished": "2026-03-19T16:54:33.442Z", "dateUpdated": "2026-03-19T17:19:37.134Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "50d2cd11-d01a-48ed-9441-5bfce9d63b27", "shortName": "wolfSSL", "dateUpdated": "2026-03-19T16:54:33.442Z"}, "title": "Stack buffer overflow in PKCS7 SignedData encoding with custom signed attributes", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-121", "description": "CWE-121: Stack-based Buffer Overflow", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "cweId": "CWE-787", "description": "CWE-787: Out-of-bounds Write", "type": "CWE"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "Overflow Buffers"}]}], "affected": [{"vendor": "wolfSSL", "product": "wolfSSL", "repo": "https://github.com/wolfSSL/wolfssl", "modules": ["wolfcrypt PKCS7"], "programFiles": ["wolfcrypt/src/pkcs7.c"], "programRoutines": [{"name": "wc_PKCS7_EncodeSignedData()"}], "versions": [{"status": "affected", "version": "5.5.0", "lessThan": "5.9.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A stack buffer overflow vulnerability exists in wolfSSL's PKCS7 SignedData encoding functionality. In wc_PKCS7_BuildSignedAttributes(), when adding custom signed attributes, the code passes an incorrect capacity value (esd->signedAttribsCount) to EncodeAttributes() instead of the remaining available space in the fixed-size signedAttribs[7] array. When an application sets pkcs7->signedAttribsSz to a value greater than MAX_SIGNED_ATTRIBS_SZ (default 7) minus the number of default attributes already added, EncodeAttributes() writes beyond the array bounds, causing stack memory corruption. In WOLFSSL_SMALL_STACK builds, this becomes heap corruption. Exploitation requires an application that allows untrusted input to control the signedAttribs array size when calling wc_PKCS7_EncodeSignedData() or related signing functions.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>A stack buffer overflow vulnerability exists in wolfSSL's PKCS7 SignedData encoding functionality. In wc_PKCS7_BuildSignedAttributes(), when adding custom signed attributes, the code passes an incorrect capacity value (esd-&gt;signedAttribsCount) to EncodeAttributes() instead of the remaining available space in the fixed-size signedAttribs[7] array. When an application sets pkcs7-&gt;signedAttribsSz to a value greater than MAX_SIGNED_ATTRIBS_SZ (default 7) minus the number of default attributes already added, EncodeAttributes() writes beyond the array bounds, causing stack memory corruption. In WOLFSSL_SMALL_STACK builds, this becomes heap corruption. Exploitation requires an application that allows untrusted input to control the signedAttribs array size when calling wc_PKCS7_EncodeSignedData() or related signing functions.</p>"}]}], "references": [{"url": "https://github.com/wolfSSL/wolfssl/pull/9630", "name": "GitHub Pull Request"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "LOW", "baseScore": 2.2, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"}}], "workarounds": [{"lang": "en", "value": "Ensure that applications using wolfSSL PKCS7 signing functionality validate and limit the number of custom signed attributes (signedAttribsSz) to no more than MAX_SIGNED_ATTRIBS_SZ (default 7) minus the number of default signed attributes enabled. Do not allow untrusted input to control the signedAttribs array or its size.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Ensure that applications using wolfSSL PKCS7 signing functionality validate and limit the number of custom signed attributes (signedAttribsSz) to no more than MAX_SIGNED_ATTRIBS_SZ (default 7) minus the number of default signed attributes enabled. Do not allow untrusted input to control the signedAttribs array or its size.</p>"}]}], "solutions": [{"lang": "en", "value": "Update to the patched version of wolfSSL. The fix adds proper bounds checking in wc_PKCS7_BuildSignedAttributes() to validate that the number of custom signed attributes does not exceed the available space in the fixed-size signedAttribs array, returning BUFFER_E if the limit is exceeded.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Update to the patched version of wolfSSL. The fix adds proper bounds checking in wc_PKCS7_BuildSignedAttributes() to validate that the number of custom signed attributes does not exceed the available space in the fixed-size signedAttribs array, returning BUFFER_E if the limit is exceeded.</p>"}]}], "credits": [{"lang": "en", "value": "Maor Caplan", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0819", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-19T17:19:26.928139Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T17:19:29.637Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A stack buffer overflow vulnerability exists in wolfSSL's PKCS7 SignedData encoding functionality. In wc_PKCS7_BuildSignedAttributes(), when adding custom signed attributes, the code passes an incorrect capacity value (esd->signedAttribsCount) to EncodeAttributes() instead of the remaining available space in the fixed-size signedAttribs[7] array. When an application sets pkcs7->signedAttribsSz to a value greater than MAX_SIGNED_ATTRIBS_SZ (default 7) minus the number of default attributes already added, EncodeAttributes() writes beyond the array bounds, causing stack memory corruption. In WOLFSSL_SMALL_STACK builds, this becomes heap corruption. Exploitation requires an application that allows untrusted input to control the signedAttribs array size when calling wc_PKCS7_EncodeSignedData() or related signing functions."}], "id": "CVE-2026-0819", "lastModified": "2026-03-19T17:16:21.657", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.2, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "facts@wolfssl.com", "type": "Secondary"}]}, "published": "2026-03-19T17:16:21.657", "references": [{"source": "facts@wolfssl.com", "url": "https://github.com/wolfSSL/wolfssl/pull/9630"}], "sourceIdentifier": "facts@wolfssl.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-121"}, {"lang": "en", "value": "CWE-787"}], "source": "facts@wolfssl.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.5.0,5.9.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "wolfSSL", "source": "cna", "vendor": "wolfSSL"}, "product": "wolfssl", "vendor": "wolfssl"}], "analysis": {"en": {"generated_at": "2026-03-19T18:50:55.953422+00:00", "value": {"mitigation_remediation": ["Apply the patched version of wolfSSL that adds bounds checking in wc_PKCS7_BuildSignedAttributes().", "Validate the custom signed attribute count in application code: enforce that signedAttribsSz does not exceed MAX_SIGNED_ATTRIBS_SZ minus the number of default signed attributes."], "summary": {"action": "Immediate Patch", "impact": "Stack Buffer Overflow"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all releases of the wolfSSL library that include the PKCS7 signing functions and have not yet applied the patch introduced in pull request 9630. No specific version range is provided in the CVE data, so the risk applies to any pre\u2011patched build of wolfSSL.", "description_and_impact": "A stack buffer overflow exists in the PKCS7 SignedData encoding routine of wolfSSL. In wc_PKCS7_BuildSignedAttributes() the code passes an incorrect capacity value (esd->signedAttribsCount) to EncodeAttributes() instead of the remaining space in the fixed-size signedAttribs[7] array. When an application supplies a signedAttribsSz that exceeds the allowed maximum, the function writes beyond the bounds of the local stack buffer, causing stack memory corruption. In builds configured for a small stack, this can become heap corruption. The overflow is classified as CWE\u2011121 and CWE\u2011787. The severity is low (CVSS 2.2) but the corruption may lead to program crashes or, potentially, arbitrary code execution if the overflow is exploited to hijack control flow \u2013 an inference drawn from typical consequences of such memory violations.", "risk_and_exploitability": "The CVSS score is 2.2, indicating low severity. No EPSS score is available, and the vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires that an application accepts untrusted input that controls the signedAttribs array size when calling wc_PKCS7_EncodeSignedData() or related functions. Therefore the attack vector is application\u2011driven, contingent on handling of external attribute data. If such input is not validated, the attacker could trigger the overflow, potentially crashing the process or, less directly, using the memory corruption to influence program execution."}}}}, "created": "2026-03-20T08:56:38.599416+00:00", "updated": "2026-03-20T11:06:49.620240+00:00", "vendors": ["wolfssl", "wolfssl$PRODUCT$wolfssl"]}