{
  "ticket_id": "CVE-2026-5479",
  "code_root": "external/wolfssl",
  "source": {
    "type": "cve",
    "cve_id": "CVE-2026-5479",
    "repo": "https://github.com/wolfSSL/wolfssl"
  },
  "facts": {
    "issue_summary": "wolfSSL's EVP-compatibility ChaCha20-Poly1305 AEAD decryption path in wolfSSL_EVP_CipherFinal (libwolfssl) fails to verify the Poly1305 authentication tag before returning the decrypted plaintext to the caller. A consumer that uses the EVP API to decrypt ChaCha20-Poly1305 ciphertext will therefore accept attacker-modified ciphertext as authentic: any active network adversary can forge ChaCha20-Poly1305 messages and the application will treat them as integrity-checked. Confidentiality/integrity loss; no impact on availability.",
    "vulnerability_type": "AEAD integrity-check bypass (CWE-354 — Improper Validation of Integrity Check Value)",
    "suspected_cwe": ["CWE-354"],
    "affected_versions": "< 5.9.1",
    "fixed_versions": ["5.9.1"],
    "reproduce_version": "v5.9.0-stable",
    "verify_fixed_version": "v5.9.1-stable",
    "repo_url": "https://github.com/wolfSSL/wolfssl.git",
    "checkout_ref": "v5.9.0-stable",
    "fix_pr_url": "https://github.com/wolfSSL/wolfssl/pull/10102",
    "code_root": "external/wolfssl",
    "attacker_access": "any active network adversary or anyone who can supply a ChaCha20-Poly1305 ciphertext to an application using wolfSSL's EVP API",
    "primary_entry_point": "wolfSSL_EVP_CipherFinal in wolfcrypt/src/evp.c, ChaCha20-Poly1305 branch",
    "build_hint": "./autogen.sh && ./configure --enable-chacha --enable-poly1305 --enable-aesgcm --enable-opensslextra --disable-shared --enable-debug CFLAGS='-fsanitize=address -g -O0' --prefix=/tmp/wolfssl-vuln && make -j && make install. Repeat at v5.9.1-stable into /tmp/wolfssl-fixed.",
    "trigger_hint": "Write a small C program that uses the EVP API to (a) encrypt a plaintext under ChaCha20-Poly1305 with a known key/nonce, (b) flip a byte in the ciphertext OR replace the tag with zeros, (c) call EVP_DecryptInit_ex + EVP_DecryptUpdate + EVP_DecryptFinal_ex. On vulnerable build the Final call returns success and produces plaintext; on fixed build the Final call returns failure (return value <=0) and produces no plaintext.",
    "tested_under": "Linked against /tmp/wolfssl-vuln/lib/libwolfssl.so vs /tmp/wolfssl-fixed/lib/libwolfssl.so via LD_LIBRARY_PATH; both runs use the identical test binary."
  }
}