CVE-2026-5479 Overview
In wolfSSL's EVP layer, the ChaCha20-Poly1305 AEAD decryption path in wolfSSL_EVP_CipherFinal (and related EVP cipher finalization functions) fails to verify the authentication tag before returning plaintext to the caller. When an application uses the EVP API to perform ChaCha20-Poly1305 decryption, the implementation computes or accepts the tag but does not compare it against the expected value. This cryptographic vulnerability allows attackers on an adjacent network to bypass authentication integrity checks and potentially decrypt or tamper with encrypted communications.
Critical Impact
Authentication tag verification bypass in ChaCha20-Poly1305 AEAD decryption allows attackers to bypass integrity checks, potentially enabling plaintext disclosure and message tampering without detection.
Affected Products
- wolfSSL library (versions using the EVP API for ChaCha20-Poly1305 decryption)
- Applications utilizing wolfSSL_EVP_CipherFinal for AEAD operations
Discovery Timeline
- 2026-04-10 - CVE-2026-5479 published to NVD
- 2026-04-13 - Last updated in NVD database
Technical Details for CVE-2026-5479
Vulnerability Analysis
This vulnerability is classified under CWE-354 (Improper Validation of Integrity Check Value), which describes scenarios where software fails to properly verify that data has not been modified or corrupted. The flaw resides in wolfSSL's OpenSSL-compatible EVP (Envelope) API layer, specifically within the cipher finalization routines used for authenticated encryption with associated data (AEAD).
ChaCha20-Poly1305 is an AEAD cipher suite that combines the ChaCha20 stream cipher with the Poly1305 message authentication code. The fundamental security guarantee of AEAD is that decryption should fail if the ciphertext or associated data has been tampered with—this is enforced through tag verification. In wolfSSL's implementation, while the Poly1305 authentication tag is computed during the decryption process, the critical comparison step against the provided tag is missing or bypassed in the EVP code path.
The adjacent network attack vector indicates that exploitation requires the attacker to be on the same network segment as the target, enabling man-in-the-middle positioning to intercept and modify encrypted traffic. The vulnerability requires some preconditions to be met for successful exploitation, but requires no privileges or user interaction.
Root Cause
The root cause is an implementation defect in the wolfSSL_EVP_CipherFinal function where the authentication tag comparison logic is missing for the ChaCha20-Poly1305 cipher suite. The EVP layer computes or accepts the Poly1305 tag but fails to execute the constant-time comparison that would verify the tag matches the expected value. This effectively renders the authenticated encryption unauthenticated, as modified ciphertext will be decrypted and returned to the application without any indication of tampering.
Attack Vector
The attack exploits the missing tag verification by allowing an attacker positioned on the adjacent network to intercept ChaCha20-Poly1305 encrypted traffic and modify ciphertext blocks. Since the decryption routine does not validate the authentication tag, the modified ciphertext is decrypted and returned to the calling application as if it were legitimate. This can enable:
- Ciphertext Manipulation: Attackers can modify encrypted messages in transit without detection
- Plaintext Recovery: In certain scenarios, selective ciphertext modification combined with observing application behavior can leak plaintext information
- Protocol Downgrade: Applications relying on AEAD integrity may be susceptible to protocol-level attacks
The vulnerability affects applications using the EVP API specifically—direct use of wolfSSL's native ChaCha20-Poly1305 functions may not be affected. Technical details and the fix implementation are available in the wolfSSL GitHub Pull Request #10102.
Detection Methods for CVE-2026-5479
Indicators of Compromise
- Unexpected decryption success when processing malformed or tampered ciphertext in applications using wolfSSL EVP API
- Authentication failures or data integrity issues detected at higher protocol layers despite successful decryption
- Network traffic analysis showing modified TLS records that should have caused decryption failures
Detection Strategies
- Audit application code for usage of wolfSSL_EVP_CipherFinal and related EVP cipher functions with ChaCha20-Poly1305
- Implement protocol-level integrity checks as a defense-in-depth measure independent of AEAD tag verification
- Deploy network intrusion detection rules to identify anomalous patterns in ChaCha20-Poly1305 encrypted traffic
Monitoring Recommendations
- Monitor for unusual TLS session behavior where data integrity issues occur despite successful decryption operations
- Implement logging around EVP cipher operations to detect potential exploitation attempts
- Review application-level error logs for inconsistencies that may indicate tampered ciphertext processing
How to Mitigate CVE-2026-5479
Immediate Actions Required
- Update wolfSSL to a patched version that includes the authentication tag verification fix
- Audit and test applications using the EVP API for ChaCha20-Poly1305 to ensure proper behavior
- Consider using wolfSSL's native AEAD functions instead of the EVP compatibility layer if immediate patching is not possible
- Implement additional application-layer integrity verification as a temporary defense-in-depth measure
Patch Information
The fix for this vulnerability is available in the wolfSSL GitHub repository Pull Request #10102. The patch adds proper authentication tag verification in the EVP cipher finalization path for ChaCha20-Poly1305. Organizations should update to the patched wolfSSL version and rebuild all dependent applications.
Workarounds
- Avoid using the EVP API for ChaCha20-Poly1305 operations; use wolfSSL's native AEAD functions instead
- Implement application-layer message authentication as an additional integrity check
- Consider using alternative AEAD cipher suites through the EVP API until the patch is applied
- Network segmentation can reduce the attack surface by limiting adjacent network access
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
