CVE-2026-5479
wolfSSL EVP ChaCha20-Poly1305 AEAD authentication tag
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
1th
In wolfSSL's EVP layer, the ChaCha20-Poly1305 AEAD decryption path in wolfSSL_EVP_CipherFinal (and related EVP cipher finalization functions) fails to verify the authentication tag before returning plaintext to the caller. When an application uses the EVP API to perform ChaCha20-Poly1305 decryption, the implementation computes or accepts the tag but does not compare it against the expected value.
| CWE | CWE-354 |
| Vendor | wolfssl |
| Product | wolfssl |
| Published | Apr 10, 2026 |
| Last Updated | Apr 10, 2026 |
Stay Ahead of the Next One
Get instant alerts for wolfssl wolfssl
Be the first to know when new unknown vulnerabilities affecting wolfssl wolfssl are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
wolfSSL / wolfSSL
0 < 5.9.1
References
Credits
Calif.io in collaboration with Claude and Anthropic Research