Is there a patch available for CVE-2026-5392?

Yes, a patch is available for CVE-2026-5392. Update the affected software to the latest version immediately.

Wolfssl CVE-2026-5392

Q: What is the CVSS score of CVE-2026-5392?

CVE-2026-5392 has a CVSS 4.0 base score of 2.3 (Low). CVSS vector: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-21229 LOW

Out-of-bounds Read (CWE-125)

2026-04-09 wolfSSL

GHSA-52wm-3mqv-vmmj

Information Disclosure Buffer Overflow Wolfssl

2.3

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.3 LOW

CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Patch available

Apr 16, 2026 - 05:29 EUVD

5.9.1

EUVD ID Assigned

Apr 09, 2026 - 23:31 euvd

EUVD-2026-21229

Analysis Generated

Apr 09, 2026 - 23:31 vuln.today

CVE Published

Apr 09, 2026 - 23:10 nvd

LOW 2.3

DescriptionCVE.org

Heap out-of-bounds read in PKCS7 parsing. A crafted PKCS7 message can trigger an OOB read on the heap. The missing bounds check is in the indefinite-length end-of-content verification loop in PKCS7_VerifySignedData().

AnalysisAI

Heap out-of-bounds read in wolfSSL versions prior to 5.9.1 allows unauthenticated attackers on an adjacent network to trigger information disclosure via a crafted PKCS7 message that bypasses bounds checking in the indefinite-length end-of-content verification loop. The vulnerability has a low CVSS score of 2.3 due to restricted attack vector (adjacent network only) and limited integrity impact, with no public exploit code identified at time of analysis.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	This vulnerability presents a low real-world risk despite being a memory safety issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker on the same adjacent network segment crafts a malicious PKCS7 message with an indefinite-length encoding that triggers the bounds-checking bypass in PKCS7_VerifySignedData(). When the target system processes this message (e.g., during TLS handshake or message validation), the out-of-bounds read exposes heap memory contents that may contain sensitive cryptographic material or application secrets. …
Remediation	Vendor-released patch: wolfSSL 5.9.1 and later versions. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-5392 vulnerability details – vuln.today

Back