GHSA-hvwm-w7rw-23cv
A Bleichenbacher padding oracle vulnerability exists in wolfSSL's PKCS#7 EnvelopedData decryption when using RSA PKCS#1 v1.5 key transport. The library returned distinguishable error codes depending on whether RSA padding validation failed or the decrypted content was malformed, allowing an attacker to use error responses as a padding oracle to recover the encrypted Content Encryption Key (CEK). The fix involves generating a deterministic pseudo-random fake CEK on padding failure and using constant-time operations to ensure all failure paths produce the same error, preventing information leakage.
AI Analysis
Technical Summary
The vulnerability in wolfSSL involves a Bleichenbacher padding oracle during PKCS#7 EnvelopedData decryption with RSA PKCS#1 v1.5 key transport. The implementation returned different error codes for padding validation failures versus malformed decrypted content, enabling attackers who can submit crafted EnvelopedData messages and observe error responses to incrementally recover the encrypted CEK. The remediation approach is to generate a deterministic pseudo-random fake CEK on padding failure using HMAC-SHA256 and perform decryption with constant-time operations so that all failure paths yield indistinguishable errors, mitigating the oracle attack.
Potential Impact
An attacker able to submit crafted messages and observe error responses could exploit this vulnerability to incrementally recover the encrypted Content Encryption Key, potentially compromising the confidentiality of encrypted data. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The described fix involves generating a deterministic pseudo-random fake CEK on padding failure and using constant-time operations to ensure uniform error responses, which mitigates the padding oracle. Until an official fix or patch is confirmed, users should monitor vendor advisories for updates.
GHSA-hvwm-w7rw-23cv
Description
A Bleichenbacher padding oracle vulnerability exists in wolfSSL's PKCS#7 EnvelopedData decryption when using RSA PKCS#1 v1.5 key transport. The library returned distinguishable error codes depending on whether RSA padding validation failed or the decrypted content was malformed, allowing an attacker to use error responses as a padding oracle to recover the encrypted Content Encryption Key (CEK). The fix involves generating a deterministic pseudo-random fake CEK on padding failure and using constant-time operations to ensure all failure paths produce the same error, preventing information leakage.
CVSS v4.0
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in wolfSSL involves a Bleichenbacher padding oracle during PKCS#7 EnvelopedData decryption with RSA PKCS#1 v1.5 key transport. The implementation returned different error codes for padding validation failures versus malformed decrypted content, enabling attackers who can submit crafted EnvelopedData messages and observe error responses to incrementally recover the encrypted CEK. The remediation approach is to generate a deterministic pseudo-random fake CEK on padding failure using HMAC-SHA256 and perform decryption with constant-time operations so that all failure paths yield indistinguishable errors, mitigating the oracle attack.
Potential Impact
An attacker able to submit crafted messages and observe error responses could exploit this vulnerability to incrementally recover the encrypted Content Encryption Key, potentially compromising the confidentiality of encrypted data. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The described fix involves generating a deterministic pseudo-random fake CEK on padding failure and using constant-time operations to ensure uniform error responses, which mitigates the padding oracle. Until an official fix or patch is confirmed, users should monitor vendor advisories for updates.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-hvwm-w7rw-23cv
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-6291"]
- Ecosystems
- []
- Database Specific Severity
- MODERATE
- Cvss Version
- 4.0
Threat ID: 6a3ef79027e9c79719ff6e86
Added to database: 06/26/2026, 22:05:04 UTC
Last enriched: 06/26/2026, 22:17:32 UTC
Last updated: 06/27/2026, 01:11:11 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.