Description
In TLSX_EchChangeSNI, the ctx->extensions branch set extensions unconditionally even when TLSX_Find returned NULL. This caused TLSX_UseSNI to attach the attacker-controlled publicName to the shared WOLFSSL_CTX when no inner SNI was configured. TLSX_EchRestoreSNI then failed to clean it up because its removal was gated on serverNameX != NULL. The inner ClientHello was sized before the pollution but written after it, causing TLSX_SNI_Write to memcpy 255 bytes past the allocation boundary.
Published: 2026-04-09
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

In the TLSX_EchChangeSNI routine, the library fails to check the result of TLSX_Find before assigning extensions, which allows an attacker to inject a crafted SNI value that is attached to the shared context. The routine then writes 255 bytes beyond an allocated buffer during the SNI write phase, creating an out‑of‑bounds write that can corrupt memory and potentially allow remote code execution or cause a crash. The vulnerability is a classic buffer overflow (CWE‑787).

Affected Systems

The flaw affects the wolfSSL cryptographic library, specifically the TLSECHChangeSNI implementation. No specific version numbers were supplied in the advisory, so any build that includes the unpatched TLSX_EchChangeSNI code is potentially vulnerable.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, and the advisory notes the vulnerability has not been reported in the CISA KEV catalog, suggesting no confirmed exploitation yet. However, because the flaw can be triggered by a crafted ClientHello message on the network, the attack vector is inferred as remote. An attacker would need to communicate with the vulnerable server over TLS to send the malformed message, a requirement that is readily met by a network attacker targeting a publicly exposed service that uses wolfSSL.

Generated by OpenCVE AI on April 9, 2026 at 23:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade wolfSSL to the latest release that includes the TLSX_EchChangeSNI fix before any patch is released.
  • If an upgrade is not immediately possible, temporarily disable TLSX_EchChangeSNI or ECH support on the server to prevent the vulnerable code path.
  • Apply a network filter or firewall rule to block or inspect incoming TLS traffic for malformed ClientHello messages until the patch can be applied.
  • Verify that the updated library is in use and monitor logs for any TLS errors or unexpected disconnections.

Generated by OpenCVE AI on April 9, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wolfssl:wolfssl:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Fri, 10 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Wolfssl
Wolfssl wolfssl
Vendors & Products Wolfssl
Wolfssl wolfssl

Thu, 09 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description In TLSX_EchChangeSNI, the ctx->extensions branch set extensions unconditionally even when TLSX_Find returned NULL. This caused TLSX_UseSNI to attach the attacker-controlled publicName to the shared WOLFSSL_CTX when no inner SNI was configured. TLSX_EchRestoreSNI then failed to clean it up because its removal was gated on serverNameX != NULL. The inner ClientHello was sized before the pollution but written after it, causing TLSX_SNI_Write to memcpy 255 bytes past the allocation boundary.
Title out-of-bounds write in TLSX_EchChangeSNI via attacker-controlled publicName
Weaknesses CWE-787
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Wolfssl Wolfssl
cve-icon MITRE

Status: PUBLISHED

Assigner: wolfSSL

Published:

Updated: 2026-04-10T17:58:51.312Z

Reserved: 2026-04-03T15:55:20.740Z

Link: CVE-2026-5503

cve-icon Vulnrichment

Updated: 2026-04-10T17:58:48.245Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T23:17:01.257

Modified: 2026-04-27T17:53:27.263

Link: CVE-2026-5503

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:27:34Z

Weaknesses