Cyber Resilience

CVE-2026-5466

High

Published: 10 April 2026

Published
10 April 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score v4 7.6 CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0015 4.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-5466 is a high-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-5466 is a vulnerability in wolfSSL's ECCSI signature verifier function `wc_VerifyEccsiHash`. The function decodes the `r` and `s` scalars from the signature blob using `mp_read_unsigned_bin` without validating that they lie within the required range `[1, q-1]`, where `q` is the curve order. This flaw, classified under CWE-347 (Breakaway Verification of Cryptographic Signature), affects wolfSSL implementations that use ECCSI (Elliptic Curve Cryptography with Certificateless Signatures for Images) signature verification.

An attacker can exploit this vulnerability by crafting a forged signature that includes `r` and `s` values outside the valid range. Such a signature will incorrectly verify as authentic against any arbitrary message and for any identity, requiring only publicly known constants like curve parameters. Exploitation is possible by any adversary who can supply a malicious signature blob to a vulnerable wolfSSL verifier, potentially bypassing authentication mechanisms in applications relying on ECCSI for integrity and authenticity checks.

The wolfSSL project has addressed this issue via a pull request at https://github.com/wolfssl/wolfssl/pull/10102, which adds the necessary range checks on `r` and `s` during decoding to ensure they fall within `[1, q-1]`. Security practitioners should update to a version incorporating this fix and audit deployments using wolfSSL's ECCSI functionality.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

wolfSSL's ECCSI signature verifier `wc_VerifyEccsiHash` decodes the `r` and `s` scalars from the signature blob via `mp_read_unsigned_bin` with no check that they lie in `[1, q-1]`. A crafted forged signature could verify against any message for any identity, using only…

more

publicly-known constants.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Signature verification bypass in wolfSSL ECCSI allows forged signatures to pass auth checks; directly enables remote exploitation of public-facing applications or services relying on the verifier for integrity/authenticity.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-0750Shared CWE-347
CVE-2025-41767Shared CWE-347
CVE-2025-27670Shared CWE-347
CVE-2025-59719Shared CWE-347
CVE-2025-27773Shared CWE-347
CVE-2026-34840Shared CWE-347
CVE-2026-24032Shared CWE-347
CVE-2026-28432Shared CWE-347
CVE-2023-25574Shared CWE-347
CVE-2026-5050Shared CWE-347

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of r/s scalars supplied to wc_VerifyEccsiHash so they lie in [1, q-1], blocking the forged-signature acceptance described in the CVE.

prevent

Mandates correct implementation of cryptographic signature verification mechanisms, which the missing range check in ECCSI violates.

prevent

Requires integrity mechanisms (including signatures) to function correctly; the flawed verifier allows forged signatures to bypass authenticity checks.

Hardening callouts derived

Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).

Oracle Linux 8 (2 rules)
  • V-248574 YUM must be configured to prevent the installation of patches, service packs, device drivers, or OL 8 system components that have not been digitally signed using a certificate that is recognized and approved by the organization. via CWE-347
  • V-248575 OL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. via CWE-347
Oracle Linux 9 (2 rules)
  • V-271523 OL 9 must check the GPG signature of locally installed software packages before installation. via CWE-347
  • V-271525 OL 9 must have GPG signature verification enabled for all software repositories. via CWE-347
RHEL 7 (2 rules)
  • V-204447 The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. via CWE-347
  • V-204448 The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. via CWE-347
RHEL 8 (1 rule)
  • V-230264 RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. via CWE-347
RHEL 9 (1 rule)
  • V-257822 RHEL 9 must have GPG signature verification enabled for all software repositories. via CWE-347

References