{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-6681","assignerOrgId":"50d2cd11-d01a-48ed-9441-5bfce9d63b27","state":"PUBLISHED","assignerShortName":"wolfSSL","dateReserved":"2026-04-20T15:00:32.607Z","datePublished":"2026-06-25T20:11:39.446Z","dateUpdated":"2026-06-26T13:14:09.177Z"},"containers":{"cna":{"providerMetadata":{"orgId":"50d2cd11-d01a-48ed-9441-5bfce9d63b27","shortName":"wolfSSL","dateUpdated":"2026-06-25T20:11:39.446Z"},"title":"PKCS#7 decode ignores caller output buffer size, writing past buffer bounds","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-787","description":"CWE-787 Out-of-bounds Write","type":"CWE"},{"lang":"en","cweId":"CWE-120","description":"CWE-120 Buffer Copy without Checking Size of Input","type":"CWE"}]}],"affected":[{"vendor":"wolfSSL","product":"wolfSSL","collectionURL":"https://github.com/wolfSSL/wolfssl","versions":[{"status":"affected","version":"3.10.0","lessThanOrEqual":"5.9.0","versionType":"semver"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"The PKCS#7 decode path ignores the caller-supplied output buffer size (outputSz), allowing decoded content to be written past the bounds of the provided buffer. This affects wolfSSL 5.9.0 and earlier and was fixed in the 5.9.1 release.","supportingMedia":[{"type":"text/html","base64":false,"value":"<p>The PKCS#7 decode path ignores the caller-supplied output buffer size (outputSz), allowing decoded content to be written past the bounds of the provided buffer. This affects wolfSSL 5.9.0 and earlier and was fixed in the 5.9.1 release.</p>"}]}],"references":[{"url":"https://github.com/wolfSSL/wolfssl/pull/10116","tags":["patch"]},{"url":"https://www.wolfssl.com/docs/security-vulnerabilities/"}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV4_0":{"attackVector":"ADJACENT","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"LOW","userInteraction":"PASSIVE","vulnConfidentialityImpact":"NONE","subConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","subIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"CLEAR","version":"4.0","baseSeverity":"LOW","baseScore":1,"vectorString":"CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/U:Clear"}}],"credits":[{"lang":"en","value":"Nicholas Carlini from Anthropic","type":"finder"}],"source":{"discovery":"UNKNOWN"},"x_generator":{"engine":"Vulnogram 1.0.2"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-06-26T13:13:59.659791Z","id":"CVE-2026-6681","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-06-26T13:14:09.177Z"}}]}}