HMAC Tag Forgery Vulnerability in wolfSSL Software
CVE-2026-6331

2.1LOW

Key Information:

Vendor: Wolfssl
Status: Wolfssl
Vendor: CVE Published:; 25 June 2026

What is CVE-2026-6331?

A flaw in wolfSSL allows an attacker to exploit HMAC verification by submitting a zero-length or truncated tag, potentially validating a forgery. The mechanism only checks that the provided tag length does not exceed the MAC length, which could lead to unauthorized access or compromised data integrity. The vulnerability has been addressed in recent patches, which now enforce that the supplied tag length matches the MAC length exactly and reject any zero-length MACs, ensuring forged short or empty tags are no longer accepted.

Affected Version(s)

wolfSSL 3.15.5 <= 5.9.1

References

https://github.com/wolfSSL/wolfssl/pull/10192

patch

https://www.wolfssl.com/docs/security-vulnerabilities/

CVSS V4

Score:

2.1

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Apr 15, 2026

Credit

Nicholas Carlini from Anthropic

CVE-2026-6331 Data

JSON

Wolfssl

What is CVE-2026-6331?

Affected Version(s)

References

CVSS V4

Timeline

Credit