Description
X.509 trust-chain bypass (path-depth exhaustion) in the OpenSSL compatibility certificate verifier (wolfSSL_X509_verify_cert()). This affects only builds with --enable-opensslextra whose application calls X509_verify_cert() with caller-supplied untrusted intermediates; for those users it is critical, otherwise the library is unaffected. Native wolfSSL TLS/DTLS usage is not impacted. X509_verify_cert() returned success based only on the last verified link rather than on reaching a trust anchor: when the supplied chain is deeper than the verifier's maximum path depth (default 100), path building runs out of depth while still walking untrusted intermediates and the chain is accepted even though it never reaches a configured trust anchor, allowing acceptance of an attacker-controlled certificate. The default TLS handshake (WOLFSSL_VERIFY_PEER) is not affected; only applications doing manual or deferred verification through this API are.
Published: 2026-06-25
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw in wolfSSL_X509_verify_cert() allows a supplied chain that exceeds the verifier's maximum path depth (default 100) to bypass the trust anchor check. When the chain is deeper than this limit, the verifier runs out of depth while still iterating over untrusted intermediates and returns success based solely on the last link, even though no configured anchor is reached. This permits an attacker to present a rogue certificate that the application will accept as valid, effectively allowing impersonation of servers or clients.

Affected Systems

The vulnerability applies only to wolfSSL builds compiled with the --enable-opensslextra flag that use X509_verify_cert() and pass caller‑supplied untrusted intermediates. Applications that rely on wolfSSL's default TLS handshake (WOLFSSL_VERIFY_PEER) are unaffected. No specific version numbers are listed, so any build using this configuration may be vulnerable.

Risk and Exploitability

With a CVSS score of 8.2, the vulnerability is considered high. The EPSS score is not available and it is not listed in the CISA KEV catalog, indicating no confirmed exploitation yet. The attack requires an application that performs manual or deferred certificate verification through the vulnerable API and an attacker who can supply a chain deeper than the maximum path depth. The resulting attack vector could enable man‑in‑the‑middle attacks or unauthorized identity impersonation.

Generated by OpenCVE AI on June 25, 2026 at 18:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update wolfSSL to the latest release that includes the fix for CVE-2026-11999.
  • Eliminate or replace any custom verification logic that calls X509_verify_cert() with caller‑supplied untrusted intermediates; instead rely on wolfSSL's default verification via WOLFSSL_VERIFY_PEER.
  • If custom verification is unavoidable, set a stricter verification depth by calling wolfSSL_SetVerifyDepth() to a low value (such as 5) and ensure the chain reaches a trusted anchor before accepting it.

Generated by OpenCVE AI on June 25, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description X.509 trust-chain bypass (path-depth exhaustion) in the OpenSSL compatibility certificate verifier (wolfSSL_X509_verify_cert()). This affects only builds with --enable-opensslextra whose application calls X509_verify_cert() with caller-supplied untrusted intermediates; for those users it is critical, otherwise the library is unaffected. Native wolfSSL TLS/DTLS usage is not impacted. X509_verify_cert() returned success based only on the last verified link rather than on reaching a trust anchor: when the supplied chain is deeper than the verifier's maximum path depth (default 100), path building runs out of depth while still walking untrusted intermediates and the chain is accepted even though it never reaches a configured trust anchor, allowing acceptance of an attacker-controlled certificate. The default TLS handshake (WOLFSSL_VERIFY_PEER) is not affected; only applications doing manual or deferred verification through this API are.
Title X.509 trust-chain bypass via path-depth exhaustion in wolfSSL_X509_verify_cert()
Weaknesses CWE-295
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: wolfSSL

Published:

Updated: 2026-06-25T17:56:41.168Z

Reserved: 2026-06-11T16:14:10.451Z

Link: CVE-2026-11999

cve-icon Vulnrichment

Updated: 2026-06-25T17:56:37.686Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T18:30:14Z

Weaknesses
  • CWE-295

    Improper Certificate Validation