CVE-2026-8720

Name	CVE-2026-8720
Description	wc_Blake2bHmacFinal and wc_Blake2sHmacFinal discard the message when the key length exceeds the block size, producing a MAC that is independent of the input. When the supplied key is longer than the BLAKE2 block size the key-hashing branch reinitialized the running hash state, discarding the accumulated message data, so the resulting MAC depended only on the key and not on the message being authenticated. This bug is specific to the HMAC-BLAKE2 APIs that were added in wolfSSL version 5.9.0.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	1140815

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
wolfssl (PTS)	bullseye	4.6.0+p1-0+deb11u2	vulnerable
	bookworm	5.5.4-2+deb12u2	vulnerable
	trixie	5.7.2-0.1+deb13u1	vulnerable
	forky, sid	5.9.1-0.1	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
wolfssl	source	(unstable)	(unfixed)			1140815

https://github.com/wolfSSL/wolfssl/pull/10447 (v5.9.2-stable)