CVE-2026-6094: Heap Buffer Overread Vulnerability in PKCS7 Processing

CVE-2026-6094 is a heap buffer overread vulnerability found in the wc_PKCS7_DecodeEnvelopedData function, which processes crafted PKCS7 EnvelopedData structures. This vulnerability can be exploited by unauthenticated attackers through specially crafted S/MIME or CMS messages, potentially disclosing sensitive data from adjacent memory regions. Currently, there is no public proof-of-concept or evidence of active exploitation. The CVSS base score assigned to this vulnerability is 6.3, indicating a medium severity level. Security teams are advised to monitor for updates from wolfSSL and restrict processing of untrusted S/MIME and CMS messages until a patch is available. Input validation on PKCS7 EnvelopedData structures is also recommended as a precautionary measure. The vulnerability affects systems using wolfSSL versions up to 5.9.1-0.1 on Debian.

Key Points: • CVE-2026-6094 allows unauthenticated attackers to exploit heap buffer overreads. • Vulnerability can be triggered via crafted S/MIME or CMS messages. • No patch is currently available; monitoring and input validation are recommended.