Description
An integer underflow issue exists in wolfSSL when parsing the Subject Alternative Name (SAN) extension of X.509 certificates. A malformed certificate can specify an entry length larger than the enclosing sequence, causing the internal length counter to wrap during parsing. This results in incorrect handling of certificate data. The issue is limited to configurations using the original ASN.1 parsing implementation which is off by default.
Published: 2026-04-10
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Integer underflow during X.509 SAN parsing may lead to incorrect certificate handling.
Action: Assess Impact
AI Analysis

Impact

An integer underflow occurs in the X.509 Subject Alternative Name parsing routine of wolfSSL. A malformed certificate can declare a length larger than the surrounding ASN.1 sequence, causing an internal length counter to wrap and the library to misinterpret the data. The defect limits the handling of certificate content, potentially leading to invalid certificate validation or denial of service. No known exploitation beyond incorrect parsing has been reported.

Affected Systems

The flaw affects the wolfSSL library. It is present only in configurations that use the original ASN.1 parsing implementation, which is disabled by default. No specific version information is supplied, so any deployment employing the legacy parser may be susceptible.

Risk and Exploitability

The CVSS score of 2.3 indicates low severity, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. Attackers could potentially supply crafted certificates over the network to trigger the underflow, but exploitation is constrained by the need to use the legacy parser. The likelihood of exploitation is uncertain and likely low without a broader vulnerability impact.

Generated by OpenCVE AI on April 10, 2026 at 04:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update wolfSSL to the latest release where this issue is resolved.
  • If an update is unavailable, configure the application to use the newer ASN.1 parser instead of the legacy implementation.
  • Validate certificates and reject those with malformed SAN entries.
  • Monitor logs for certificate parsing errors or anomalies.

Generated by OpenCVE AI on April 10, 2026 at 04:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wolfssl:wolfssl:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H'}

Fri, 10 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Wolfssl
Wolfssl wolfssl
Vendors & Products Wolfssl
Wolfssl wolfssl

Fri, 10 Apr 2026 03:45:00 +0000

Type Values Removed Values Added
Description An integer underflow issue exists in wolfSSL when parsing the Subject Alternative Name (SAN) extension of X.509 certificates. A malformed certificate can specify an entry length larger than the enclosing sequence, causing the internal length counter to wrap during parsing. This results in incorrect handling of certificate data. The issue is limited to configurations using the original ASN.1 parsing implementation which is off by default.
Title Integer underflow in X.509 SAN parsing in wolfSSL
Weaknesses CWE-191
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Wolfssl Wolfssl
cve-icon MITRE

Status: PUBLISHED

Assigner: wolfSSL

Published:

Updated: 2026-04-10T13:41:51.326Z

Reserved: 2026-03-30T19:57:35.065Z

Link: CVE-2026-5188

cve-icon Vulnrichment

Updated: 2026-04-10T13:41:48.489Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T04:17:15.700

Modified: 2026-04-29T13:54:37.483

Link: CVE-2026-5188

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:26:53Z

Weaknesses