Impact
Certificate path verification in wolfSSL may accept a chain that ends with a peer‑supplied intermediate certificate as a trusted anchor when the X509_V_FLAG_PARTIAL_CHAIN flag is enabled. This logic flaw allows an attacker to present a custom chain terminating in an intermediate they control, causing the library to treat the chain as valid. The resulting authentication bypass could enable Man‑in‑the‑Middle attacks, data tampering, or credential theft by allowing clients or servers to trust certificates that are not anchored to a known root.
Affected Systems
wolfSSL implementations that employ the OpenSSL compatibility layer for certificate path building, specifically the wolfSSL_X509_verify_cert function and X509_STORE, are impacted. The vulnerability arises when the X509_V_FLAG_PARTIAL_CHAIN option is set during verification. No specific product versions were listed, but any wolfSSL build that enables the partial‑chain flag remains vulnerable.
Risk and Exploitability
The CVSS score of 6 classifies the vulnerability as moderate. The exploit probability (EPSS) is currently unavailable and the issue is not featured in the CISA KEV catalog. An attacker must be able to supply a custom certificate chain to a client or server that has enabled the partial‑chain flag; once that flag is active, the attacker can construct a chain that ends with an intermediate they control, which is then accepted as a trust anchor, allowing the bypass of proper certificate validation.
OpenCVE Enrichment