{
  "variant_id": "cve-2026-5466-variant-analysis",
  "created_at": "2026-05-28T12:50:54Z",
  "variant_summary": "Systematic variant analysis of CVE-2026-5466 (wolfSSL ECCSI universal signature forgery). Ten distinct bypass and alternate-trigger attempts were tested against the fixed version (v5.9.1-stable). No bypass or alternate entry point was found. The upstream fix comprehensively covers the only ECCSI verification path.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "https://github.com/wolfSSL/wolfssl",
  "submitted_target": {
    "target_kind": "git_tag",
    "commit_sha": "922d04b3568c6428a9fb905ddee3ef5a68db3108",
    "version": "v5.9.0-stable",
    "display": "wolfSSL v5.9.0-stable (vulnerable)"
  },
  "variant_target": {
    "target_kind": "git_tag",
    "commit_sha": "1d363f3adceba9d1478230ede476a37b0dcdef24",
    "version": "v5.9.1-stable",
    "display": "wolfSSL v5.9.1-stable (fixed)"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "high",
  "claimed_surface": "wc_VerifyEccsiHash attacker-controlled signature buffer",
  "validated_surface": "wc_VerifyEccsiHash attacker-controlled signature buffer",
  "required_entrypoint_kind": "library_api",
  "required_entrypoint_detail": "wc_VerifyEccsiHash in wolfcrypt/src/eccsi.c",
  "attacker_controlled_input": "ECCSI signature blob (r | s | PVT) passed to wc_VerifyEccsiHash",
  "trigger_path": "wolfcrypt/src/eccsi.c: wc_VerifyEccsiHash -> eccsi_decode_sig_r_pvt / eccsi_decode_sig_s -> eccsi_calc_j -> mp_cmp(jx, r)",
  "observed_impact_class": "signature_forge_universal",
  "exploitability_confidence": "none",
  "evidence_scope": "tested",
  "runtime_manifest_present": false,
  "end_to_end_target_reached": false,
  "inferred": false,
  "claim_block_reason": "upstream_fix_complete",
  "blocking_mitigation": "The upstream fix (commit 13a016367ff4b4d3cc4c9bc2bfdfe692a512dd81) adds [1,q-1] range checks on r and s, plus a defense-in-depth point-at-infinity guard. All ten tested variant inputs are rejected by the fixed version.",
  "file_path": "wolfcrypt/src/eccsi.c",
  "line_start": 2204,
  "line_end": 2348,
  "secondary_anchors": [
    {
      "file_path": "wolfcrypt/src/eccsi.c",
      "line_start": 2151,
      "line_end": 2171
    }
  ],
  "review_scope_paths": [
    "wolfcrypt/src/eccsi.c"
  ],
  "artifact_refs": {
    "variant_manifest": "vuln_variant/variant_manifest.json",
    "validation_verdict": "vuln_variant/validation_verdict.json",
    "repro_log": "logs/variant_fixed.txt",
    "reproducer": [
      "vuln_variant/reproduction_steps.sh",
      "vuln_variant/eccsi_variant.c"
    ]
  }
}