{
  "cve_id": "CVE-2026-5479",
  "vulnerable_version": "wolfSSL v5.9.0-stable",
  "fixed_version": "wolfSSL v5.9.1-stable",
  "test_program": "repro/aead_tag_check.c",
  "api_under_test": "wolfSSL_EVP_CipherFinal (ChaCha20-Poly1305 decrypt path)",
  "tamper_strategies": [
    "zeroed_authentication_tag",
    "random_authentication_tag",
    "flipped_ciphertext_byte_with_correct_tag"
  ],
  "vulnerable_results": {
    "test1_zeroed_tag": {
      "EVP_DecryptFinal_ex_return": 1,
      "behavior": "accepted_forged_tag"
    },
    "test2_random_tag": {
      "EVP_DecryptFinal_ex_return": 1,
      "behavior": "accepted_forged_tag"
    },
    "test3_modified_ciphertext": {
      "EVP_DecryptFinal_ex_return": 1,
      "behavior": "accepted_modified_ciphertext"
    }
  },
  "fixed_results": {
    "test1_zeroed_tag": {
      "EVP_DecryptFinal_ex_return": 0,
      "behavior": "rejected_forged_tag"
    },
    "test2_random_tag": {
      "EVP_DecryptFinal_ex_return": 0,
      "behavior": "rejected_forged_tag"
    },
    "test3_modified_ciphertext": {
      "EVP_DecryptFinal_ex_return": 0,
      "behavior": "rejected_modified_ciphertext"
    }
  }
}