PKCS#7 AES-GCM tag truncation enables auth bypass in wolfSSL
TL;DR — wolfSSL’s PKCS#7 AES-GCM decode path accepts attacker-truncated authentication tags, weakening integrity checks and enabling a practical authentication bypass for in-path attackers.
What happened
wolfSSL is an embedded-focused TLS/cryptography library often shipped inside applications and appliances. CVE-2026-5500 describes an improper input validation issue in wc_PKCS7_DecodeAuthEnvelopedData() (in wolfcrypt/src/pkcs7.c) where the implementation does not properly sanitize the AES-GCM authentication tag length and has no lower bounds check.
Per the CVE record, a man-in-the-middle can truncate the mac field from 16 bytes to 1 byte, reducing the authentication tag check from 2^-128 to 2^-8.
| Item | Source value |
|---|---|
| Affected software | wolfSSL |
| Vulnerable surface | wc_PKCS7_DecodeAuthEnvelopedData() (PKCS#7 AuthEnvelopedData) |
| Impact (per CVE record) | AES-GCM integrity/authentication weakening via tag-length truncation; authentication bypass risk |
| Severity | CVSS v4.0 8.7 (High) |
| Affected versions | <= 5.9.0 |
| Upstream reference | Fix referenced via GitHub PR wolfSSL/wolfssl#10102 |
AEAD tag-validation failures (or effective reductions in tag strength) are high-impact because they undercut a core security invariant many application protocols assume: ciphertext integrity implies authenticity. This is especially notable when the flaw sits in a widely embedded crypto library used transitively by many products.
Who is impacted
- Projects using
wolfSSL<= 5.9.0(as marked in the CVE record). - Any application that processes PKCS#7 AuthEnvelopedData via
wc_PKCS7_DecodeAuthEnvelopedData()using AES-GCM. - Higher-risk environments where an attacker can plausibly operate in-path (e.g., untrusted networks, certain proxying/termination architectures, or hostile local segments) and where PKCS#7 objects are accepted from untrusted or semi-trusted sources.
What to do now
- Follow vendor remediation guidance and apply the latest patched release available at the time of writing (the CVE record marks
wolfSSL <= 5.9.0as affected). - Inventory where PKCS#7 / CMS message handling is implemented (direct
wolfSSLusage, or through embedded components) and identify which services parse AuthEnvelopedData. - Treat this as an integrity/auth boundary issue: review where successful PKCS#7 verification is used to grant access, accept configuration, or establish identity.
- If compromise is suspected, audit traffic paths and inputs where an in-path attacker could tamper with PKCS#7 envelopes, and rotate secrets/keys whose trust assumptions depend on PKCS#7 message authenticity.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.