CVE-2026-5504 MEDIUM

CVE-2026-5504: PKCS7 CBC Padding Oracle — Plaintext Recovery

Vendor Wolfssl
Product wolfSSL
Weakness CWE-354
Published April 9, 2026
Last update April 14, 2026

CVSS base score

6.3/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

A padding oracle exists in wolfSSL's PKCS7 CBC decryption that could allow an attacker to recover plaintext through repeated decryption queries with modified ciphertext. In previous versions of wolfSSL the interior padding bytes are not validated.

Key dates

02Disclosure timeline

April 9, 2026 CVE published
April 14, 2026 Record updated

Related vulnerabilities

04Related CVE