ChaCha20-Poly1305 AEAD Vulnerability in wolfSSL Library
CVE-2026-5479

7.6HIGH

Key Information:

Vendor: Wolfssl
Status: Wolfssl
Vendor: CVE Published:; 10 April 2026

What is CVE-2026-5479?

A security flaw exists in the EVP layer of the wolfSSL library, specifically within the ChaCha20-Poly1305 AEAD decryption process. The implementation fails to validate the authentication tag during the decryption process, potentially allowing malicious actors to manipulate data without detection. When applications utilize the EVP API for decryption, the failure to compare the computed tag against the expected value exposes the system to unauthorized access and data integrity issues. Proper mitigations and security patches are crucial for protecting applications utilizing this cryptographic library.

Affected Version(s)

wolfSSL 0 < 5.9.1

References

https://github.com/wolfSSL/wolfssl/pull/10102

CVSS V4

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 10, 2026
Vulnerability Reserved
Apr 3, 2026

Credit

Calif.io in collaboration with Claude and Anthropic Research

CVE-2026-5479 Data

JSON