Description
A CRL critical extension bypass exists in ParseCRL_Extensions where critical extensions are not properly enforced, allowing a crafted CRL with an unhandled critical extension to be accepted. This only affects builds with CRL support enabled and where a crafted CRL had a trusted signature when parsed.
Published: 2026-06-25
Score: 1 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in wolfSSL’s ParseCRL_Extensions routine where critical extensions are not enforced, allowing a crafted CRL that contains an unhandled critical extension to be accepted as valid. The result is that a once‑revoked or forged certificate can bypass revocation checks because the library mistakenly treats the CRL as trustworthy. This vulnerability is categorized as CWE‑295, indicating insecure certificate validation.

Affected Systems

All wolfSSL builds that have CRL support enabled are potentially impacted. Any deployment incorporating the wolfSSL library with CRL parsing enabled and without the patch that enforces critical‑extension verification is susceptible. The specific affected versions are those preceding the corrective changes in the library’s source history.

Risk and Exploitability

The CVSS score of 1 indicates a low technical impact, and the EPSS score is not available. It is not listed in the CISA KEV catalog, suggesting limited known exploitation. The likely attack vector is inferred: an attacker must provide a malicious CRL that is signed by a trusted authority to a system parsing CRLs, such as during a TLS handshake or when a client fetches a CRL to validate a server’s certificate. Because the prone code only triggers when CRL support is enabled, the likelihood of exploitation is restricted to environments that actively use CRL revocation lists.

Generated by OpenCVE AI on June 25, 2026 at 23:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the wolfSSL library to the current release that contains the fix for critical‑extension enforcement in CRLs.
  • If revocation checking is not required in your deployment, disable CRL support in wolfSSL to remove the vulnerable code path.
  • Ensure that all CRLs fetched or supplied to wolfSSL are obtained only from trusted authorities and validate every critical extension before accepting a CRL.

Generated by OpenCVE AI on June 25, 2026 at 23:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Wolfssl
Wolfssl wolfssl
Vendors & Products Wolfssl
Wolfssl wolfssl

Thu, 25 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description A CRL critical extension bypass exists in ParseCRL_Extensions where critical extensions are not properly enforced, allowing a crafted CRL with an unhandled critical extension to be accepted. This only affects builds with CRL support enabled and where a crafted CRL had a trusted signature when parsed.
Title CRL critical extension bypass in ParseCRL_Extensions
Weaknesses CWE-295
References
Metrics cvssV4_0

{'score': 1, 'vector': 'CVSS:4.0/AV:A/AC:H/AT:P/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wolfssl Wolfssl
cve-icon MITRE

Status: PUBLISHED

Assigner: wolfSSL

Published:

Updated: 2026-06-25T20:18:53.909Z

Reserved: 2026-04-16T19:15:04.573Z

Link: CVE-2026-6450

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T01:30:16Z

Weaknesses
  • CWE-295

    Improper Certificate Validation