Cyber Resilience

CVE-2026-7511

Medium

Published: 25 June 2026

Published
25 June 2026
Modified
27 June 2026
KEV Added
Patch
CVSS Score v4 5.9 CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0017 6.7th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-7511 is a medium-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Wolfssl Wolfssl. Its CVSS base score is 5.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Code Signing (T1553.002); ranked at the 6.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

PKCS7_verify signer confusion allows forged signatures, where the signer associated with a signature is not correctly bound, permitting a forged signature to be accepted.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1553.002 Code Signing Defense Impairment
Adversaries may create, acquire, or steal code signing materials to sign their malware or tools.
Why these techniques?

PKCS7 signature verification flaw (CWE-347) directly allows forged signatures to be accepted, enabling subversion of code signing controls.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-55961Same product: Wolfssl Wolfssl
CVE-2026-6331Same product: Wolfssl Wolfssl
CVE-2026-11310Same product: Wolfssl Wolfssl
CVE-2026-6329Same product: Wolfssl Wolfssl
CVE-2026-7532Same product: Wolfssl Wolfssl
CVE-2022-34293Same product: Wolfssl Wolfssl
CVE-2026-6291Same product: Wolfssl Wolfssl
CVE-2026-6330Same product: Wolfssl Wolfssl
CVE-2026-5501Same product: Wolfssl Wolfssl
CVE-2024-5814Same product: Wolfssl Wolfssl

Affected Assets

wolfssl
wolfssl
3.15.5 — 5.9.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-347

Requires verification of digital signatures using organization-approved certificates before installation, directly preventing improper verification of cryptographic signatures.

addresses: CWE-347

Component authenticity commonly depends on cryptographic signatures; the control enforces proper verification of those signatures.

addresses: CWE-347

PKI certificates under an approved policy require cryptographic signature verification on issuance and validation.

addresses: CWE-347

Requires cryptographic signatures on authoritative data and support for verifying the chain of trust.

addresses: CWE-347

Mandates verification of cryptographic signatures (e.g., DNSSEC RRSIG) on resolution responses, addressing missing or bypassed signature checks.

addresses: CWE-347

Integrity tools commonly rely on cryptographic signatures whose improper validation this weakness covers.

addresses: CWE-347

Authenticity validation commonly relies on cryptographic signature or certificate checks that this control enforces.

Hardening callouts derived

Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).

Oracle Linux 8 (2 rules)
  • V-248574 YUM must be configured to prevent the installation of patches, service packs, device drivers, or OL 8 system components that have not been digitally signed using a certificate that is recognized and approved by the organization. via CWE-347
  • V-248575 OL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. via CWE-347
Oracle Linux 9 (2 rules)
  • V-271523 OL 9 must check the GPG signature of locally installed software packages before installation. via CWE-347
  • V-271525 OL 9 must have GPG signature verification enabled for all software repositories. via CWE-347
RHEL 7 (2 rules)
  • V-204447 The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. via CWE-347
  • V-204448 The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. via CWE-347
RHEL 8 (1 rule)
  • V-230264 RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. via CWE-347
RHEL 9 (1 rule)
  • V-257822 RHEL 9 must have GPG signature verification enabled for all software repositories. via CWE-347

References