CVE Catalog

CVE-2026-6094

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.26%

18th percentile — higher than 18% of all known CVEs

Summary

Heap buffer overread in wc_PKCS7_DecodeEnvelopedData when parsing crafted PKCS7 EnvelopedData. This could theoretically be triggered by attacker-supplied data delivered via S/MIME or CMS.

Risk Assessment

The risk involves potential remote code execution or disclosure of sensitive data by sending a specially crafted S/MIME or CMS message to a vulnerable application.

Recommendation

It is recommended to immediately update the wolfSSL library to a version containing the fix for CVE-2026-6094 and implement S/MIME and CMS traffic filtering on the mail gateway.

Original NVD description (English source)

Heap buffer overread in wc_PKCS7_DecodeEnvelopedData when parsing crafted PKCS7 EnvelopedData. This could theoretically be triggered by attacker-supplied data delivered via S/MIME or CMS.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS