Platform
c
Component
wolfssl
Fixed in
5.9.1
CVE-2026-5392 describes a heap out-of-bounds read vulnerability discovered in wolfSSL. A malicious actor can exploit this flaw by crafting a specially designed PKCS7 message, leading to potential information disclosure. This vulnerability affects versions 0.0.0 through 5.9.1 of wolfSSL, and a fix is available in version 5.9.1.
The core of this vulnerability lies in the PKCS7_VerifySignedData() function, where an indefinite-length end-of-content verification loop lacks proper bounds checking. An attacker can construct a PKCS7 message that exploits this missing check, causing the application to read beyond the allocated memory region on the heap. This out-of-bounds read can expose sensitive data stored in memory, potentially including cryptographic keys, session tokens, or other confidential information. The extent of data exposure depends on the memory layout and the attacker's ability to control the crafted PKCS7 message. While the immediate impact is information disclosure, this could be a stepping stone for further attacks, such as privilege escalation or remote code execution, depending on the context of the application using wolfSSL.
CVE-2026-5392 was publicly disclosed on 2026-04-09. There is currently no indication of active exploitation or a public proof-of-concept (POC). The vulnerability is not listed on the CISA KEV catalog as of this writing. The vulnerability's impact depends heavily on the specific application using wolfSSL and the sensitivity of the data it processes.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
The primary mitigation for CVE-2026-5392 is to upgrade to wolfSSL version 5.9.1 or later, which includes the necessary bounds check to prevent the out-of-bounds read. If upgrading is not immediately feasible, consider implementing input validation on PKCS7 messages to restrict the length and structure of the content. While not a complete solution, this can reduce the attack surface. Web application firewalls (WAFs) configured to inspect and filter PKCS7 traffic can also provide a layer of defense. Monitor wolfSSL-using applications for unusual memory access patterns or crashes that might indicate exploitation. After upgrading, confirm the fix by attempting to parse a known malicious PKCS7 message and verifying that no out-of-bounds read occurs.
Update to version 5.9.1 or later of wolfSSL to mitigate the out-of-bounds read vulnerability in PKCS7 SignedData message parsing. This update corrects the missing bounds check in the indefinite-length end-of-content verification loop, preventing unauthorized heap memory reads.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5392 is a vulnerability in wolfSSL versions 0.0.0 through 5.9.1 that allows an attacker to trigger a heap out-of-bounds read by crafting a malicious PKCS7 message.
If you are using wolfSSL versions 0.0.0 through 5.9.1, you are potentially affected by this vulnerability. Check your version and upgrade if necessary.
Upgrade to wolfSSL version 5.9.1 or later to remediate the vulnerability. Consider input validation as a temporary mitigation if upgrading is not immediately possible.
As of now, there is no evidence of active exploitation or publicly available proof-of-concept for CVE-2026-5392.
Refer to the official wolfSSL security advisories on their website for the latest information and updates regarding CVE-2026-5392.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.