CVE-2026-5466
CWE-347Published: April 10, 2026· Updated: Apr 13, 2026
Official Description
wolfSSL's ECCSI signature verifier `wc_VerifyEccsiHash` decodes the `r` and `s` scalars from the signature blob via `mp_read_unsigned_bin` with no check that they lie in `[1, q-1]`. A crafted forged signature could verify against any message for any identity, using only publicly-known constants.
Technical Analysis
CVE-2026-5466 requires adjacent network access, limiting remote exploitation but still posing risk in shared or local network environments.
The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.
A proof-of-concept (PoC) exploit exists for CVE-2026-5466. While not yet confirmed in active campaigns, the availability of PoC code increases exploitation risk substantially.
CVSS v3.1 Vector Breakdown
Exploit & PoC Resources
All References (1)
Quick Facts
Related CVEs (CWE-347)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-5466 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts