Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A padding oracle exists in wolfSSL's PKCS7 CBC decryption that could allow an attacker to recover plaintext through repeated decryption queries with modified ciphertext. In previous versions of wolfSSL the interior padding bytes are not validated.
AnalysisAI
Padding oracle vulnerability in wolfSSL's PKCS7 CBC decryption allows unauthenticated remote attackers to recover plaintext through repeated decryption queries with modified ciphertext, exploiting insufficient validation of interior padding bytes. The vulnerability requires high attack complexity and persistent attacker interaction but presents practical risk to systems using affected wolfSSL versions for PKCS7-encrypted communications.
Technical ContextAI
The vulnerability exists in wolfSSL's implementation of PKCS7 padding validation during CBC mode decryption. PKCS7 specifies that padding bytes must all contain the same value equal to the number of padding bytes added. The flaw lies in inadequate validation of interior padding bytes-bytes between the first and last padding byte-which enables a padding oracle attack. An attacker can iteratively modify ciphertext, submit it for decryption, and observe whether the decryption succeeds or fails, using these timing or error-response differences to infer information about the plaintext. This is a classic side-channel vulnerability (CWE-354: Improper Validation of Specified Quantity in Input) that allows bit-by-bit plaintext recovery without knowing the encryption key.
RemediationAI
Apply the patched version of wolfSSL released following PR #10088 (https://github.com/wolfSSL/wolfssl/pull/10088), which implements proper validation of all interior padding bytes in PKCS7 CBC decryption. Update wolfSSL library to the latest stable release that incorporates this fix. As a temporary workaround for high-risk deployments, avoid exposing decryption failure details (timing differences or distinct error messages) to untrusted network clients; instead, fail closed by treating all padding validation failures identically and logging events server-side only. Ensure applications do not retry decryption with modified ciphertexts based on user input.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21235
GHSA-qvjw-73xm-jw34