CVE-2026-5466
Published: 10 April 2026
Description
wolfSSL's ECCSI signature verifier `wc_VerifyEccsiHash` decodes the `r` and `s` scalars from the signature blob via `mp_read_unsigned_bin` with no check that they lie in `[1, q-1]`. A crafted forged signature could verify against any message for any identity, using only…
more
publicly-known constants.
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requires verification of digital signatures using organization-approved certificates before installation, directly preventing improper verification of cryptographic signatures.
Component authenticity commonly depends on cryptographic signatures; the control enforces proper verification of those signatures.
PKI certificates under an approved policy require cryptographic signature verification on issuance and validation.
Requires cryptographic signatures on authoritative data and support for verifying the chain of trust.
Mandates verification of cryptographic signatures (e.g., DNSSEC RRSIG) on resolution responses, addressing missing or bypassed signature checks.
Integrity tools commonly rely on cryptographic signatures whose improper validation this weakness covers.
Authenticity validation commonly relies on cryptographic signature or certificate checks that this control enforces.
Security SummaryAI
CVE-2026-5466 is a vulnerability in wolfSSL's ECCSI signature verifier function `wc_VerifyEccsiHash`. The function decodes the `r` and `s` scalars from the signature blob using `mp_read_unsigned_bin` without validating that they lie within the required range `[1, q-1]`, where `q` is the curve order. This flaw, classified under CWE-347 (Breakaway Verification of Cryptographic Signature), affects wolfSSL implementations that use ECCSI (Elliptic Curve Cryptography with Certificateless Signatures for Images) signature verification.
An attacker can exploit this vulnerability by crafting a forged signature that includes `r` and `s` values outside the valid range. Such a signature will incorrectly verify as authentic against any arbitrary message and for any identity, requiring only publicly known constants like curve parameters. Exploitation is possible by any adversary who can supply a malicious signature blob to a vulnerable wolfSSL verifier, potentially bypassing authentication mechanisms in applications relying on ECCSI for integrity and authenticity checks.
The wolfSSL project has addressed this issue via a pull request at https://github.com/wolfssl/wolfssl/pull/10102, which adds the necessary range checks on `r` and `s` during decoding to ensure they fall within `[1, q-1]`. Security practitioners should update to a version incorporating this fix and audit deployments using wolfSSL's ECCSI functionality.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Signature verification bypass in wolfSSL ECCSI allows forged signatures to pass auth checks; directly enables remote exploitation of public-facing applications or services relying on the verifier for integrity/authenticity.