Signature Verification Flaw in wolfSSL's ECCSI Component
CVE-2026-5466

7.6HIGH

Key Information:

Vendor: Wolfssl
Status: Wolfssl
Vendor: CVE Published:; 10 April 2026

What is CVE-2026-5466?

The vulnerability in wolfSSL's ECCSI signature verifier's wc_VerifyEccsiHash function allows an attacker to create a forged signature that can be incorrectly validated against any message for any identity, undermining the integrity and trust in cryptographic operations. This is achieved by exploiting the lack of bounds checking on the decoded r and s scalars, which should be validated to ensure they fall within the range of [1, q-1]. As a result, the affected versions of wolfSSL are susceptible to potential misuse, highlighting the need for prompt remediation and enhanced security measures.

Affected Version(s)

wolfSSL 0 < 5.9.1

References

https://github.com/wolfssl/wolfssl/pull/10102

CVSS V4

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 10, 2026
Vulnerability Reserved
Apr 3, 2026

Credit

Calif.io in collaboration with Claude and Anthropic Research

CVE-2026-5466 Data

JSON