Description
Certificate policy and RFC 8446 compliance concerns regarding the continued acceptance of SHA-1/MD5 in certificate processing.
Published: 2026-06-25
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows certificates that use SHA‑1 or MD5 hash algorithms to be accepted by the wolfSSL library, in violation of current cryptographic standards. This weakens authentication and opens the door for attackers to create forged certificates, potentially enabling man‑in‑the‑middle attacks. The weakness is classified as CWE‑327.

Affected Systems

The issue affects all wolfSSL library deployments that have not updated to a version where SHA‑1/MD5 certificate processing has been disabled. No specific product version is listed in the admission, but any application utilizing wolfSSL for TLS may be impacted. Some embedded systems, IoT devices, and other software that rely on wolfSSL for secure communications could be susceptible until a patch is applied.

Risk and Exploitability

The CVSS score of 2.3 indicates a low severity, and no exploit is known. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. Attackers would need the ability to supply a forged certificate or manipulate the certificate chain presented to an application using wolfSSL. If such an input path exists, they could potentially subvert identity verification. The potential impact exists only where legacy hashes have not been disabled by configuration or code changes.

Generated by OpenCVE AI on June 25, 2026 at 22:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update wolfSSL to the latest release that removes SHA‑1/MD5 support in certificate validation.
  • Verify that your TLS configuration enforces the use of secure signature algorithms and rejects certificates signed with SHA‑1 or MD5.
  • Conduct a review of your certificate handling code or library usage to ensure that legacy digest algorithms are not inadvertently allowed.

Generated by OpenCVE AI on June 25, 2026 at 22:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description Certificate policy and RFC 8446 compliance concerns regarding the continued acceptance of SHA-1/MD5 in certificate processing.
Title Continued acceptance of SHA-1/MD5 digests in certificate processing
Weaknesses CWE-327
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/U:Clear'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: wolfSSL

Published:

Updated: 2026-06-25T20:38:29.761Z

Reserved: 2026-04-15T23:30:42.133Z

Link: CVE-2026-6412

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T22:30:15Z

Weaknesses
  • CWE-327

    Use of a Broken or Risky Cryptographic Algorithm