{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5477", "assignerOrgId": "50d2cd11-d01a-48ed-9441-5bfce9d63b27", "state": "PUBLISHED", "assignerShortName": "wolfSSL", "dateReserved": "2026-04-03T07:59:59.388Z", "datePublished": "2026-04-10T05:06:22.884Z", "dateUpdated": "2026-04-10T14:04:00.411Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "50d2cd11-d01a-48ed-9441-5bfce9d63b27", "shortName": "wolfSSL", "dateUpdated": "2026-04-10T05:06:22.884Z"}, "title": "Prefix-substitution forgery via integer overflow in wolfCrypt CMAC", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-190", "description": "CWE-190 Integer overflow or wraparound", "type": "CWE"}]}], "affected": [{"vendor": "wolfSSL", "product": "wolfSSL", "modules": ["wc_CmacUpdate"], "programFiles": ["wolfcrypt/src/cmac.c", "wolfcrypt/src/aes.c"], "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "5.9.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "An integer overflow existed in the wolfCrypt CMAC implementation, that could be exploited to forge CMAC tags. The function wc_CmacUpdate used the\u00a0guard `if (cmac->totalSz != 0)` to skip XOR-chaining on the first block (where digest is all-zeros and the XOR is a no-op).\u00a0However, totalSz is word32 and wraps to zero after 2^28 block flushes (4 GiB), causing the guard to erroneously discard the live CBC-MAC chain state. Any two messages sharing a common suffix\u00a0beyond the 4 GiB mark then produce identical CMAC tags, enabling a zero-work prefix-substitution forgery. The fix removes the guard,\u00a0making the XOR unconditional; the no-op property on the first block is preserved because digest is zero-initialized by wc_InitCmac_ex.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "An integer overflow existed in the wolfCrypt CMAC implementation, that could be exploited to forge CMAC tags. The function wc_CmacUpdate used the&nbsp;<span>guard `if (cmac-&gt;totalSz != 0)` to skip XOR-chaining on </span><span>the first block (where digest is all-zeros and the XOR is a no-op).&nbsp;</span><span>However, totalSz is word32 and wraps to zero after 2^28 block flushes </span><span>(4 GiB), causing the guard to erroneously discard the </span><span>live CBC-MAC chain state. Any two messages sharing a common suffix&nbsp;</span><span>beyond the 4 GiB mark then produce identical CMAC tags, enabling a </span><span>zero-work prefix-substitution forgery. The fix removes the guard,&nbsp;</span><span>making the XOR unconditional; the no-op property on the first block is </span><span>preserved because digest is zero-initialized by wc_InitCmac_ex.</span>"}]}], "references": [{"url": "https://github.com/wolfSSL/wolfssl/pull/10102"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.2, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"}}], "credits": [{"lang": "en", "value": "Calif.io in collaboration with Claude and Anthropic Research", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T14:03:53.265423Z", "id": "CVE-2026-5477", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T14:04:00.411Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5477", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T14:03:53.265423Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T14:03:57.033Z"}}], "cna": {"title": "Prefix-substitution forgery via integer overflow in wolfCrypt CMAC", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Calif.io in collaboration with Claude and Anthropic Research"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "wolfSSL", "modules": ["wc_CmacUpdate"], "product": "wolfSSL", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.9.0"}], "programFiles": ["wolfcrypt/src/cmac.c", "wolfcrypt/src/aes.c"], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/wolfSSL/wolfssl/pull/10102"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "An integer overflow existed in the wolfCrypt CMAC implementation, that could be exploited to forge CMAC tags. The function wc_CmacUpdate used the\u00a0guard `if (cmac->totalSz != 0)` to skip XOR-chaining on the first block (where digest is all-zeros and the XOR is a no-op).\u00a0However, totalSz is word32 and wraps to zero after 2^28 block flushes (4 GiB), causing the guard to erroneously discard the live CBC-MAC chain state. Any two messages sharing a common suffix\u00a0beyond the 4 GiB mark then produce identical CMAC tags, enabling a zero-work prefix-substitution forgery. The fix removes the guard,\u00a0making the XOR unconditional; the no-op property on the first block is preserved because digest is zero-initialized by wc_InitCmac_ex.", "supportingMedia": [{"type": "text/html", "value": "An integer overflow existed in the wolfCrypt CMAC implementation, that could be exploited to forge CMAC tags. The function wc_CmacUpdate used the&nbsp;<span>guard `if (cmac-&gt;totalSz != 0)` to skip XOR-chaining on </span><span>the first block (where digest is all-zeros and the XOR is a no-op).&nbsp;</span><span>However, totalSz is word32 and wraps to zero after 2^28 block flushes </span><span>(4 GiB), causing the guard to erroneously discard the </span><span>live CBC-MAC chain state. Any two messages sharing a common suffix&nbsp;</span><span>beyond the 4 GiB mark then produce identical CMAC tags, enabling a </span><span>zero-work prefix-substitution forgery. The fix removes the guard,&nbsp;</span><span>making the XOR unconditional; the no-op property on the first block is </span><span>preserved because digest is zero-initialized by wc_InitCmac_ex.</span>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-190", "description": "CWE-190 Integer overflow or wraparound"}]}], "providerMetadata": {"orgId": "50d2cd11-d01a-48ed-9441-5bfce9d63b27", "shortName": "wolfSSL", "dateUpdated": "2026-04-10T05:06:22.884Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5477", "state": "PUBLISHED", "dateUpdated": "2026-04-10T14:04:00.411Z", "dateReserved": "2026-04-03T07:59:59.388Z", "assignerOrgId": "50d2cd11-d01a-48ed-9441-5bfce9d63b27", "datePublished": "2026-04-10T05:06:22.884Z", "assignerShortName": "wolfSSL"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wolfssl:wolfssl:*:*:*:*:*:*:*:*", "matchCriteriaId": "DA5C710C-46E8-470C-83AF-D33D1A40512D", "versionEndIncluding": "5.9.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An integer overflow existed in the wolfCrypt CMAC implementation, that could be exploited to forge CMAC tags. The function wc_CmacUpdate used the\u00a0guard `if (cmac->totalSz != 0)` to skip XOR-chaining on the first block (where digest is all-zeros and the XOR is a no-op).\u00a0However, totalSz is word32 and wraps to zero after 2^28 block flushes (4 GiB), causing the guard to erroneously discard the live CBC-MAC chain state. Any two messages sharing a common suffix\u00a0beyond the 4 GiB mark then produce identical CMAC tags, enabling a zero-work prefix-substitution forgery. The fix removes the guard,\u00a0making the XOR unconditional; the no-op property on the first block is preserved because digest is zero-initialized by wc_InitCmac_ex."}], "id": "CVE-2026-5477", "lastModified": "2026-04-27T17:51:47.143", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "facts@wolfssl.com", "type": "Secondary"}]}, "published": "2026-04-10T06:16:05.243", "references": [{"source": "facts@wolfssl.com", "tags": ["Issue Tracking"], "url": "https://github.com/wolfSSL/wolfssl/pull/10102"}], "sourceIdentifier": "facts@wolfssl.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "facts@wolfssl.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.9.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "wolfSSL", "source": "cna", "vendor": "wolfSSL"}, "product": "wolfssl", "vendor": "wolfssl"}], "analysis": {"en": {"generated_at": "2026-04-10T06:20:41.308308+00:00", "value": {"mitigation_remediation": ["Upgrade wolfSSL to a version that includes the CMAC update fix (see pull request 10102)."], "summary": {"action": "Patch Now", "impact": "Authentication Forgery"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in the wolfSSL wolfCrypt CMAC component. Affected vendor is wolfSSL. No specific version information is provided in the advisory; the issue exists in all releases that include the flawed wc_CmacUpdate guard.", "description_and_impact": "An integer overflow in the wolfCrypt CMAC implementation causes the XOR\u2011chaining guard to be skipped after 4\u202fGiB of processed data. This produces identical CMAC tags for messages that share a common suffix beyond that boundary, allowing an attacker to forge a CMAC for a malicious message with a different prefix. The flaw is an integer overflow (CWE\u2011190) that enables bypass of authentication and can be used to manipulate or impersonate verified data.", "risk_and_exploitability": "With a CVSS score of 8.2 the vulnerability is high severity. EPSS information is not available and it is not listed in the CISA KEV catalog. Exploitation requires processing over four gigabytes of data to wrap the 32\u2011bit counter, so it is likely relevant to applications handling very large streams or files. When exploited, an attacker can forge CMAC tags and authenticate malicious messages, compromising data integrity and potentially enabling further attacks."}}}}, "created": "2026-04-10T08:35:41.654092+00:00", "updated": "2026-04-10T09:26:43.088899+00:00", "vendors": ["wolfssl", "wolfssl$PRODUCT$wolfssl"]}