Description
X.509 trust-chain bypass in the OpenSSL compatibility certificate verifier (wolfSSL_X509_verify_cert()). This affects only builds with --enable-opensslextra (OPENSSL_EXTRA) and whose application validates certificates by calling X509_verify_cert() with caller-supplied untrusted intermediate certificates; for those users it is critical, otherwise the library is unaffected. In particular, native wolfSSL TLS/DTLS usage is not impacted. wolfSSL's X509_verify_cert() temporarily loads each caller-supplied untrusted intermediate into the certificate manager but failed to drop them before the trusted-store check, so an untrusted intermediate could anchor the path itself. An attacker can present a chain that never reaches a configured trust anchor and have it accepted, resulting in acceptance of an attacker-controlled certificate. This is certificate verification independent of TLS (e.g. S/MIME/CMS, code/firmware signing, JWT/JWS x5c), is not specific to any key type or algorithm, and a single untrusted intermediate suffices. The default wolfSSL TLS handshake (WOLFSSL_VERIFY_PEER) is not affected; only TLS applications doing manual or deferred peer verification through this API are, which also requires --enable-sessioncerts.
Published: 2026-06-25
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the wolfSSL_X509_verify_cert() routine, where untrusted intermediate certificates supplied by the caller are not removed before the trusted‑store check is performed. As a result, an attacker can craft a chain that never reaches a configured trust anchor yet is accepted as valid. While native wolfSSL TLS/DTLS flows are unaffected, any application that uses X509_verify_cert() for manual or deferred peer verification—including S/MIME, CMS, code signing, or JWT/JWS processing—can be tricked into accepting an attacker‑controlled certificate. The flaw is independent of key type or algorithm and requires only a single untrusted intermediate.

Affected Systems

wolfSSL wolfSSL builds that enable the OpenSSL compatibility layer ("--enable-opensslextra") and that invoke X509_verify_cert() with caller‑supplied untrusted intermediates are affected. Applications that use wolfSSL’s default TLS handshake mode (WOLFSSL_VERIFY_PEER) are not impacted certificates via "--enable-sessioncerts" and call X509_verify_cert() explicitly.

Risk and Exploitability

With a CVSS score of 8.7 the severity is high, though no EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires an attacker to supply a malicious certificate chain that is processed by an application performing manual verification. If the application receives this chain from an untrusted source—such as a network connection or a user‑supplied file—the attacker could bypass certificate validation and obtain trust in a forged certificate. The exploit requires no special privilege on the vulnerable host and can be executed entirely from the application layer.

Generated by OpenCVE AI on June 25, 2026 at 21:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest wolfSSL release that fixes the X509_verify_cert() intermediate handling bug
  • If an update is unavailable, disable the OpenSSL compatibility layer by omitting "--enable-opensslextra" during build
  • Avoid manual or deferred certificate verification with X509_verify_cert() that accepts untrusted intermediates; instead rely on wolfSSL’s built‑in TLS peer verification
  • If manual verification is required, ensure that no untrusted intermediate certificates are imported into the verification context

Generated by OpenCVE AI on June 25, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Wolfssl
Wolfssl wolfssl
Vendors & Products Wolfssl
Wolfssl wolfssl

Thu, 25 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Description X.509 trust-chain bypass in the OpenSSL compatibility certificate verifier (wolfSSL_X509_verify_cert()). This affects only builds with --enable-opensslextra (OPENSSL_EXTRA) and whose application validates certificates by calling X509_verify_cert() with caller-supplied untrusted intermediate certificates; for those users it is critical, otherwise the library is unaffected. In particular, native wolfSSL TLS/DTLS usage is not impacted. wolfSSL's X509_verify_cert() temporarily loads each caller-supplied untrusted intermediate into the certificate manager but failed to drop them before the trusted-store check, so an untrusted intermediate could anchor the path itself. An attacker can present a chain that never reaches a configured trust anchor and have it accepted, resulting in acceptance of an attacker-controlled certificate. This is certificate verification independent of TLS (e.g. S/MIME/CMS, code/firmware signing, JWT/JWS x5c), is not specific to any key type or algorithm, and a single untrusted intermediate suffices. The default wolfSSL TLS handshake (WOLFSSL_VERIFY_PEER) is not affected; only TLS applications doing manual or deferred peer verification through this API are, which also requires --enable-sessioncerts.
Title X.509 trust-chain bypass in wolfSSL_X509_verify_cert() via untrusted intermediate anchoring
Weaknesses CWE-295
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wolfssl Wolfssl
cve-icon MITRE

Status: PUBLISHED

Assigner: wolfSSL

Published:

Updated: 2026-06-25T19:38:19.099Z

Reserved: 2026-06-04T17:58:49.009Z

Link: CVE-2026-11310

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T01:00:05Z

Weaknesses
  • CWE-295

    Improper Certificate Validation