CVE-2026-6094
CriticalCVSS 9.1Exploitation Probability (EPSS)
Low risk18th percentile — higher than 18% of all known CVEs
Summary
Heap buffer overread in wc_PKCS7_DecodeEnvelopedData when parsing crafted PKCS7 EnvelopedData. This could theoretically be triggered by attacker-supplied data delivered via S/MIME or CMS.
Risk Assessment
The risk involves potential remote code execution or disclosure of sensitive data by sending a specially crafted S/MIME or CMS message to a vulnerable application.
Recommendation
It is recommended to immediately update the wolfSSL library to a version containing the fix for CVE-2026-6094 and implement S/MIME and CMS traffic filtering on the mail gateway.
Original NVD description (English source)
Heap buffer overread in wc_PKCS7_DecodeEnvelopedData when parsing crafted PKCS7 EnvelopedData. This could theoretically be triggered by attacker-supplied data delivered via S/MIME or CMS.

