CVE-2026-5477
Published: 10 April 2026
Summary
CVE-2026-5477 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Wolfssl Wolfssl. Its CVSS base score is 7.5 (High).
Operationally, ranked at the 11.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely remediation of the integer overflow flaw in wolfCrypt CMAC implementation to prevent CMAC tag forgery after 4 GiB data processing.
Enables vulnerability scanning to identify the CVE-2026-5477 integer overflow in deployed wolfSSL libraries, allowing proactive patching.
Mandates use of validated cryptographic mechanisms that address implementation flaws like the CMAC totalSz overflow leading to tag forgery.
MITRE ATT&CK Enterprise TechniquesAI
Insufficient information to map techniques.NVD Description
An integer overflow existed in the wolfCrypt CMAC implementation, that could be exploited to forge CMAC tags. The function wc_CmacUpdate used the guard `if (cmac->totalSz != 0)` to skip XOR-chaining on the first block (where digest is all-zeros and the…
more
XOR is a no-op). However, totalSz is word32 and wraps to zero after 2^28 block flushes (4 GiB), causing the guard to erroneously discard the live CBC-MAC chain state. Any two messages sharing a common suffix beyond the 4 GiB mark then produce identical CMAC tags, enabling a zero-work prefix-substitution forgery. The fix removes the guard, making the XOR unconditional; the no-op property on the first block is preserved because digest is zero-initialized by wc_InitCmac_ex.
Deeper analysisAI
CVE-2026-5477 is an integer overflow vulnerability (CWE-190) in the wolfCrypt CMAC implementation within the wolfSSL cryptographic library. The issue arises in the wc_CmacUpdate function, which uses a guard condition `if (cmac->totalSz != 0)` to skip XOR-chaining on the first block, where the digest is all-zeros and the operation is a no-op. However, totalSz is a word32 value that wraps around to zero after 2^28 block flushes (equivalent to 4 GiB of data), causing the guard to incorrectly discard the live CBC-MAC chain state.
An unauthenticated remote attacker with network access can exploit this vulnerability due to its CVSS v3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). By processing two messages that share a common suffix beyond the 4 GiB mark, the attacker can generate identical CMAC tags with zero additional work, enabling a prefix-substitution forgery attack that violates message integrity.
The wolfSSL project has addressed the vulnerability via a pull request at https://github.com/wolfSSL/wolfssl/pull/10102, which removes the problematic guard condition and makes the XOR operation unconditional. This fix preserves the no-op behavior on the first block because the digest is zero-initialized by wc_InitCmac_ex, ensuring proper CBC-MAC chaining without relying on the totalSz check.
Details
- CWE(s)