CVE-2026-6678: Integer Underflow Vulnerability in PKCS#7 Decryption

CVE-2026-6678 is an integer underflow vulnerability in the wc_PKCS7_DecryptOri function, affecting systems that process PKCS#7 messages. An unauthenticated attacker can exploit this vulnerability by sending crafted messages with malformed Other Recipient Info, leading to potential disclosure of sensitive data. The vulnerability has a CVSS base score of 4.0, indicating a low to medium severity. Currently, there is no public proof-of-concept or evidence of active exploitation. Security teams are advised to monitor and validate PKCS#7 message structures and restrict network access to affected systems. As of now, no patch information is available. The vulnerability was published on June 25, 2026.

Key Points: • CVE-2026-6678 involves an integer underflow in PKCS#7 message decryption. • Exploitation allows unauthorized access to sensitive data through crafted messages. • No patches or public proof-of-concept are currently available.