An out‑of‑bounds read occurs in wolfSSL when it parses the Application‑Layer Protocol Negotiation (ALPN) extension during handshake. The vulnerability results from incomplete validation of the peer‑supplied ALPN protocol list, allowing a crafted list to trigger a memory read beyond the buffer. The flaw does not allow privilege escalation or disclosure of data; it only causes the wolfSSL process to crash, leading to a denial‑of‑service condition for any application relying on the library.

The affected product is the wolfSSL library, version 5.8.4 and all earlier releases that enable ALPN (HAVE_ALPN or --enable-alpn). Although ALPN is disabled by default, it is automatically enabled for several third‑party compatibility builds, including those for Apache HTTPD, Bind, Curl, HAProxy, Hitch, Lighty, JNI, NGINX, and QUIC. Use of these builds with ALPN enabled exposes the system to the vulnerability.

The CVSS score is 7.5, indicating moderate‑to‑high severity, while the EPSS score is below 1 %, suggesting that widespread exploitation is unlikely. The flaw is not listed in CISA's KEV catalog. An attacker would need to target a service that uses wolfSSL with ALPN enabled and send a malicious ALPN list to trigger the crash. Because the vulnerability only causes a crash, it does not provide remote code execution or data exfiltration.