CVE-2026-5479

Published: Apr 10, 2026

Modified: Apr 22, 2026

PUBLISHED

Description

In wolfSSL's EVP layer, the ChaCha20-Poly1305 AEAD decryption path in wolfSSL_EVP_CipherFinal (and related EVP cipher finalization functions) fails to verify the authentication tag before returning plaintext to the caller. When an application uses the EVP API to perform ChaCha20-Poly1305 decryption, the implementation computes or accepts the tag but does not compare it against the expected value.

Vendor	Product	Versions
wolfSSL	wolfSSL	affected `0 - < 5.9.1`

Weaknesses (CWE)

CWE-354

References

https://github.com/wolfSSL/wolfssl/pull/10102

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-5479

Description

Affected Products

Weaknesses (CWE)

References