Heap Buffer Overread in wolfSSL Product by wolfSSL
CVE-2026-6094

6.3MEDIUM

Key Information:

Vendor: Wolfssl
Status: Wolfssl
Vendor: CVE Published:; 25 June 2026

What is CVE-2026-6094?

A heap buffer overread vulnerability exists in wolfSSL's handling of the wc_PKCS7_DecodeEnvelopedData function. This issue originates from improper parsing of maliciously crafted PKCS7 EnvelopedData, potentially allowing attackers to exploit the flaw via specially crafted data sent through S/MIME or CMS protocols. It is essential for users to apply patches and stay updated to mitigate the risks associated with this vulnerability.

Affected Version(s)

wolfSSL 5.8.0 <= 5.9.1

References

https://github.com/wolfSSL/wolfssl/pull/10128

patch

https://www.wolfssl.com/docs/security-vulnerabilities/

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Apr 10, 2026

Credit

Dikai Zou

CVE-2026-6094 Data

JSON

Wolfssl

What is CVE-2026-6094?

Affected Version(s)

References

CVSS V4

Timeline

Credit