Description
Two potential heap out-of-bounds write locations existed in DecodeObjectId() in wolfcrypt/src/asn.c. First, a bounds check only validates one available slot before writing two OID arc values (out[0] and out[1]), enabling a 2-byte out-of-bounds write when outSz equals 1. Second, multiple callers pass sizeof(decOid) (64 bytes on 64-bit platforms) instead of the element count MAX_OID_SZ (32), causing the function to accept crafted OIDs with 33 or more arcs that write past the end of the allocated buffer.
Published: 2026-04-09
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Memory Corruption via Heap Out‑of‑Bounds Write
Action: Apply Patch
AI Analysis

Impact

DecodeObjectId() in wolfSSL performs an incorrect bounds check, writing two Object Identifier components into an output buffer that is only sized for one. A second flaw allows callers to pass the size of the structure instead of the intended element count, enabling an attacker to provide a crafted ASN.1 value with 33 or more arcs that overflows the buffer. The resulting heap write can corrupt adjacent memory, potentially causing crashes or unpredictable behavior; no direct remote code execution path is documented for this flaw.

Affected Systems

The issue resides in the wolfSSL cryptographic library; it applies to any application that links against wolfSSL versions containing the legacy DecodeObjectId implementation within wolfcrypt/src/asn.c. Specific version ranges are not enumerated in the CNA data, so all releases compiled with this code are potentially affected.

Risk and Exploitability

The CVSS score of 2.3 indicates a low severity, and the vulnerability is not listed in CISA’s KEV catalog. The exploit requires a crafted ASN.1 payload that the application processes; if the WC_ASN_UNKNOWN_EXT_CB callback is enabled, the payload could be transmitted over a network, giving a remote attacker a network‑reachable vector. Absent that option, exploitation remains limited to local or application‑level input. Overall risk is low to moderate pending the presence of the callback and the ability to supply the malicious ASN.1 data.

Generated by OpenCVE AI on April 9, 2026 at 21:50 UTC.

Remediation

Vendor Solution

Fix Bug 1: Add a bounds check requiring at least 2 output slots before writing the first OID arc split (y == 0 case). Fix Bug 2: Change callers to pass the element count (MAX_OID_SZ) instead of sizeof(decOid) as the output buffer size parameter.

Vendor Workaround

Do not enable WC_ASN_UNKNOWN_EXT_CB or do not register an unknown extension callback if not required. This mitigates the network-reachable variant (Bug 2) but does not address Bug 1.

OpenCVE Recommended Actions

  • Apply the latest wolfSSL patch that adds the required bounds check for two output slots and changes callers to use MAX_OID_SZ instead of sizeof(decOid).
  • If the patch cannot be applied immediately, disable the WC_ASN_UNKNOWN_EXT_CB feature or avoid registering an unknown extension callback so the network‑reachable variant of the overflow cannot be triggered.

Generated by OpenCVE AI on April 9, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://github.com/wolfSSL/wolfssl cve-icon cve-icon
History

Thu, 16 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wolfssl:wolfssl:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Wolfssl
Wolfssl wolfssl
Vendors & Products Wolfssl
Wolfssl wolfssl

Thu, 09 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description Two potential heap out-of-bounds write locations existed in DecodeObjectId() in wolfcrypt/src/asn.c. First, a bounds check only validates one available slot before writing two OID arc values (out[0] and out[1]), enabling a 2-byte out-of-bounds write when outSz equals 1. Second, multiple callers pass sizeof(decOid) (64 bytes on 64-bit platforms) instead of the element count MAX_OID_SZ (32), causing the function to accept crafted OIDs with 33 or more arcs that write past the end of the allocated buffer.
Title Heap Out-of-Bounds Write in DecodeObjectId() in wolfSSL
Weaknesses CWE-122
CWE-787
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Wolfssl Wolfssl
cve-icon MITRE

Status: PUBLISHED

Assigner: wolfSSL

Published:

Updated: 2026-04-14T14:04:53.585Z

Reserved: 2026-03-30T19:57:33.843Z

Link: CVE-2026-5187

cve-icon Vulnrichment

Updated: 2026-04-14T14:04:21.909Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T20:16:28.233

Modified: 2026-04-16T20:39:33.917

Link: CVE-2026-5187

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:29:25Z

Weaknesses