{
  "verdict": "not_confirmed",
  "vulnerable_accepted_forgery": 1,
  "fixed_rejected_all_variants": 1,
  "cve": "CVE-2026-5466",
  "details": "Ten distinct variant and bypass attempts were systematically tested against wolfSSL v5.9.1-stable (commit 1d363f3adceba9d1478230ede476a37b0dcdef24). All attempts were rejected by the fixed version with appropriate error codes (MP_ZERO_E, ECC_OUT_OF_RANGE_E, BAD_FUNC_ARG, ECC_INF_E). No alternate entry point, encoding bypass, or boundary-value bypass was found. The upstream fix is complete for the ECCSI verification path.",
  "variant_attempts": [
    {
      "id": 1,
      "description": "r=0, s=0 (original exploit)",
      "vulnerable_result": "accepted",
      "fixed_result": "rejected (MP_ZERO_E, -121)",
      "bypass": false
    },
    {
      "id": 2,
      "description": "r=order, s=order (exact upper boundary)",
      "vulnerable_result": "rejected (verified=0)",
      "fixed_result": "rejected (ECC_OUT_OF_RANGE_E, -217)",
      "bypass": false
    },
    {
      "id": 3,
      "description": "r=order+1, s=order+1 (above upper boundary)",
      "vulnerable_result": "rejected (verified=0)",
      "fixed_result": "rejected (ECC_OUT_OF_RANGE_E, -217)",
      "bypass": false
    },
    {
      "id": 4,
      "description": "r=2q, s=2q (double order)",
      "vulnerable_result": "rejected (verified=0)",
      "fixed_result": "rejected (verified=0)",
      "bypass": false
    },
    {
      "id": 5,
      "description": "r=0, s=order-1 (zero-r with valid-s)",
      "vulnerable_result": "rejected (verified=0)",
      "fixed_result": "rejected (MP_ZERO_E, -121)",
      "bypass": false
    },
    {
      "id": 6,
      "description": "r=1, s=0 (valid-r with zero-s)",
      "vulnerable_result": "rejected (verified=0)",
      "fixed_result": "rejected (MP_ZERO_E, -121)",
      "bypass": false
    },
    {
      "id": 7,
      "description": "r=order-1, s=order-1 (valid boundary scalars)",
      "vulnerable_result": "rejected (verified=0)",
      "fixed_result": "rejected (verified=0)",
      "bypass": false
    },
    {
      "id": 8,
      "description": "wrong sigSz (SIG_SIZE-1) parser robustness",
      "vulnerable_result": "rejected (BAD_FUNC_ARG, -173)",
      "fixed_result": "rejected (BAD_FUNC_ARG, -173)",
      "bypass": false
    },
    {
      "id": 9,
      "description": "r=0, s=0 with PVT encoded as infinity",
      "vulnerable_result": "rejected (ECC_INF_E, -140)",
      "fixed_result": "rejected (ECC_INF_E, -140)",
      "bypass": false
    },
    {
      "id": 10,
      "description": "r=0, s=0 with different message",
      "vulnerable_result": "accepted",
      "fixed_result": "rejected (MP_ZERO_E, -121)",
      "bypass": false
    }
  ],
  "blocking_mitigation": "upstream_fix_complete",
  "blocking_mitigation_detail": "The upstream patch (commit 13a016367ff4b4d3cc4c9bc2bfdfe692a512dd81) adds [1,q-1] range checks for r and s, plus a defense-in-depth point-at-infinity guard. wc_VerifyEccsiHash is the sole ECCSI verification API, and there are no alternate callers of the static helpers eccsi_calc_j, eccsi_decode_sig_s, or eccsi_decode_sig_r_pvt."
}