{
  "ticket_id": "CVE-2026-5466",
  "code_root": "external/wolfssl",
  "source": {
    "type": "cve",
    "cve_id": "CVE-2026-5466",
    "repo": "https://github.com/wolfSSL/wolfssl"
  },
  "facts": {
    "issue_summary": "wolfSSL's ECCSI (Elliptic Curve-based Certificateless Signatures for Identity-based Encryption) signature verifier wc_VerifyEccsiHash decodes the scalar components r and s from the signature blob via mp_read_unsigned_bin WITHOUT checking that they lie in the valid range [1, q-1] (where q is the curve order). An attacker can craft a forged signature using only publicly-known constants (e.g., r = 0, s = 0, or r = q, s = q) that the verifier accepts as valid for ANY message under ANY identity. This is a UNIVERSAL signature forgery: no private key is required, no oracle is required, and the same forged signature works against any message and any signer identity.",
    "vulnerability_type": "Universal cryptographic signature forgery via missing scalar range check (CWE-347)",
    "suspected_cwe": ["CWE-347"],
    "affected_versions": "< 5.9.1",
    "fixed_versions": ["5.9.1"],
    "reproduce_version": "v5.9.0-stable",
    "verify_fixed_version": "v5.9.1-stable",
    "repo_url": "https://github.com/wolfSSL/wolfssl.git",
    "checkout_ref": "v5.9.0-stable",
    "fix_pr_url": "https://github.com/wolfSSL/wolfssl/pull/10102",
    "code_root": "external/wolfssl",
    "attacker_access": "Any party with the victim's public ECCSI key material — no private key, no chosen-message oracle, no preimage required.",
    "primary_entry_point": "wc_VerifyEccsiHash in wolfcrypt/src/ecc.c (or wolfcrypt/src/eccsi.c depending on version). The decode-and-verify path uses mp_read_unsigned_bin on attacker-supplied bytes for r and s, then performs the verification arithmetic without first asserting 1 <= r < q and 1 <= s < q.",
    "build_hint": "./autogen.sh && ./configure --enable-eccsi --enable-ecc --enable-sha256 --disable-shared --enable-static --enable-debug CFLAGS='-fsanitize=address -g -O0' --prefix=/tmp/wolfssl-vuln && make -j && make install. Repeat at v5.9.1-stable into /tmp/wolfssl-fixed.",
    "trigger_hint": "Write a C program that: (1) loads (or generates with attacker-known parameters) a valid ECCSI public key + signer-identity, (2) constructs a forged signature blob with r and s set to a known invalid scalar (try r=0,s=0; r=q,s=q; r=q,s=0; r=q,s=1; r=2*q, s=2*q) for an attacker-chosen message body M, (3) calls wc_VerifyEccsiHash(M, identity, forged_sig). On vulnerable wolfSSL the verifier returns success for at least one of those scalar choices; on fixed wolfSSL all of them are rejected with the appropriate error code (e.g., MP_ZERO_E, MP_VAL, or a new BAD_FUNC_ARG path).",
    "end_to_end_requirement": "The reproduction MUST demonstrate END-TO-END SIGNATURE FORGERY — not merely a unit test against an internal function. Show that wc_VerifyEccsiHash() returns success (0) on vulnerable for an attacker-chosen message under an attacker-chosen identity using only publicly-known constants, and that the SAME forged signature is rejected on fixed. ASAN output alone is NOT sufficient. The verdict must record: (a) the exact forged-scalar values that bypassed verification, (b) the verifier's return code on vulnerable (success) vs fixed (failure), (c) the message text that was 'authenticated' by the forgery. If the agent cannot produce a forgery that verifies, the verdict is not_confirmed (do not file an ASAN-only proof).",
    "tested_under": "Linked against /tmp/wolfssl-vuln/lib/libwolfssl.so vs /tmp/wolfssl-fixed/lib/libwolfssl.so via LD_LIBRARY_PATH; both runs use the identical forgery program."
  }
}