Description
Certificates with wildcard DNS SANs (e.g. *.example.com) bypassed CA name-constraint checks. A certificate with a wildcard DNS SAN that should be rejected by the issuing CA's permitted/excluded DNS name constraints could be accepted.
Published: 2026-06-25
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Certificates that include a wildcard DNS Subject Alternative Name bypass certificate authority name‑constraint checks; an attacker can present a certificate that should be rejected because its domain is outside the CA’s permitted range. The effect is that a verifier using this wolfSSL library could blindly accept the certificate, enabling domain impersonation or man‑in‑the‑middle attacks. This flaw falls under CWE‑295, improper certificate validation.

Affected Systems

The vulnerability is present in theSSL SSL/TLS library. No specific version range is listed in the advisory; therefore any installation of wolfSSL that has not incorporated the fix from the referenced pull request is potentially affected.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity, and the vulnerability is not listed in the CISA KEV catalog. Exploitation would likely occur during a TLS handshake where the victim application trusts wolfSSL to enforce name‑constraint checks. Because no exploit code is publicly available and the issue relies on the application’s trust behavior, the risk level depends on how broadly wolfSSL is used and whether the environment requires strict name‑constraint enforcement.

Generated by OpenCVE AI on June 25, 2026 at 21:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade wolfSSL to the latest released version that includes the PR 10549 fix.
  • Configure the application to enforce DNS name‑constraint checks explicitly, even if wolfSSL does not perform them by default.
  • Restrict use of wildcard certificates in the trusted certificate authority pool to mitigate the risk of domain spoofing.

Generated by OpenCVE AI on June 25, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Wolfssl
Wolfssl wolfssl
Vendors & Products Wolfssl
Wolfssl wolfssl

Thu, 25 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Description Certificates with wildcard DNS SANs (e.g. *.example.com) bypassed CA name-constraint checks. A certificate with a wildcard DNS SAN that should be rejected by the issuing CA's permitted/excluded DNS name constraints could be accepted.
Title Wildcard DNS SAN bypasses CA name-constraint checks
Weaknesses CWE-295
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wolfssl Wolfssl
cve-icon MITRE

Status: PUBLISHED

Assigner: wolfSSL

Published:

Updated: 2026-06-25T19:40:11.966Z

Reserved: 2026-06-01T21:10:33.519Z

Link: CVE-2026-10592

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T01:00:05Z

Weaknesses
  • CWE-295

    Improper Certificate Validation