{ "cve_id": "CVE-2026-5479", "reproduced": true, "verdict": "confirmed", "reproduction_script": "repro/reproduction_steps.sh", "vulnerable_version": "wolfSSL v5.9.0-stable", "fixed_version": "wolfSSL v5.9.1-stable", "issue_type": "AEAD integrity-check bypass (CWE-354)", "summary": "wolfSSL's EVP compatibility API for ChaCha20-Poly1305 decryption (wolfSSL_EVP_CipherFinal) fails to verify the Poly1305 authentication tag before returning decrypted plaintext. This allows forged or modified ciphertext to be accepted as authentic.", "details": { "trigger": "EVP ChaCha20-Poly1305 decrypt path via wolfSSL_EVP_CipherFinal with a forged tag, random bad tag, or modified ciphertext", "vulnerable_behavior": "EVP_DecryptFinal_ex returns success (1) on all three tampered inputs: zeroed tag, random bad tag, and flipped ciphertext byte with correct tag. The decrypted plaintext is returned without any integrity verification.", "fixed_behavior": "EVP_DecryptFinal_ex returns failure (0) on all three tampered inputs, correctly rejecting forged tags and modified ciphertext.", "api_under_test": "wolfSSL_EVP_CipherFinal (ChaCha20-Poly1305 decrypt path in wolfcrypt/src/evp.c)", "tamper_strategies": [ "zeroed_authentication_tag", "random_authentication_tag", "flipped_ciphertext_byte_with_correct_tag" ], "vulnerable_results": { "test1_zeroed_tag": { "EVP_DecryptFinal_ex_return": 1, "behavior": "accepted_forged_tag" }, "test2_random_tag": { "EVP_DecryptFinal_ex_return": 1, "behavior": "accepted_forged_tag" }, "test3_modified_ciphertext": { "EVP_DecryptFinal_ex_return": 1, "behavior": "accepted_modified_ciphertext" } }, "fixed_results": { "test1_zeroed_tag": { "EVP_DecryptFinal_ex_return": 0, "behavior": "rejected_forged_tag" }, "test2_random_tag": { "EVP_DecryptFinal_ex_return": 0, "behavior": "rejected_forged_tag" }, "test3_modified_ciphertext": { "EVP_DecryptFinal_ex_return": 0, "behavior": "rejected_modified_ciphertext" } }, "logs": [ "logs/vulnerable_output.txt", "logs/fixed_output.txt", "logs/runtime_manifest.json" ] } }