VDB

CVE-2026-5504

CVE-2026-5504 PUBLISHED CVSS 6.3 MEDIUM

Reported by wolfSSL · Published April 9, 2026

A padding oracle exists in wolfSSL's PKCS7 CBC decryption that could allow an attacker to recover plaintext through repeated decryption queries with modified ciphertext. In previous versions of wolfSSL the interior padding bytes are not validated.

EPSS 0.02% · 5.2th percentile

Risk Scores

CVSS v4.0
6.3
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
EPSS Score
0.02%
5.2th percentile

Affected Products

VendorProductVersions
wolfSSLwolfSSL0
wolfSSLwolfSSL0

Timeline

  • Apr 9, 2026 CVE Published
  • Apr 10, 2026 EPSS Score
  • May 18, 2026 EPSS Score
  • May 19, 2026 EPSS Score
  • May 20, 2026 EPSS Score
  • May 21, 2026 EPSS Score
  • May 22, 2026 EPSS Score
  • May 23, 2026 EPSS Score
  • May 24, 2026 EPSS Score
  • May 25, 2026 EPSS Score
  • May 26, 2026 EPSS Score
  • May 27, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›