CVE-2026-6094

Heap buffer overread in wc PKCS7 DecodeEnvelopedData when parsing crafted PKCS7 EnvelopedData. This could theoretically be triggered by attacker-supplied data delivered via S/MIME or CMS.