CVE Catalog

CVE-2026-6291

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.17%

7th percentile — higher than 7% of all known CVEs

Summary

Bleichenbacher padding oracle vulnerability in PKCS#7 KTRI decryption in wolfSSL. When decrypting PKCS#7 EnvelopedData using RSA PKCS#1 v1.5 key transport, the library returned distinguishable error codes depending on whether RSA padding validation failed or the decrypted content was malformed. This allowed an attacker to incrementally recover the Content Encryption Key (CEK) by observing error responses.

Risk Assessment

An attacker can exploit this vulnerability to recover the Content Encryption Key (CEK), compromising the confidentiality of data protected by PKCS#7 EnvelopedData. The risk is particularly high in environments where the attacker can repeatedly send crafted messages and observe responses.

Recommendation

Immediately update wolfSSL to a version containing the fix, which generates a deterministic pseudo-random fake CEK on padding failure and proceeds with decryption in constant-time, ensuring all failure paths return the same error.

Original NVD description (English source)

Bleichenbacher padding oracle in PKCS#7 KTRI decryption. When decrypting PKCS#7 EnvelopedData using RSA PKCS#1 v1.5 key transport, wolfSSL returned distinguishable error codes depending on whether RSA padding validation failed versus whether the decrypted content was malformed. An attacker able to submit crafted EnvelopedData messages and observe error responses could use this as a padding oracle to incrementally recover the encrypted Content Encryption Key (CEK). The fix generates a deterministic pseudo-random fake CEK on padding failure (via HMAC-SHA256) and proceeds with decryption identically, using constant-time operations throughout, so that all failure paths produce the same error regardless of padding validity.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS