Vulnerability Details CVE-2026-6094
Heap buffer overread in wc_PKCS7_DecodeEnvelopedData when parsing crafted PKCS7 EnvelopedData. This could theoretically be triggered by attacker-supplied data delivered via S/MIME or CMS.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 21.1%
CVSS Severity
CVSS v3 Score 9.1
References