Description
X.509 name constraint bypass via the Subject Common Name when treated as a DNS-type name. A certificate whose Subject CN violates an issuing CA's DNS name constraints could be accepted.
Published: 2026-06-25
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

wolfSSL incorrectly treats the Subject Common Name of an X.509 certificate as a DNS type name. This flaw allows a certificate whose CN violates an issuing CA's DNS name constraints to be accepted as valid. The result is that an attacker can present a forged certificate and achieve elevated trust, enabling possible man‑in‑the‑middle attacks or credential spoofing. The weakness is an instance of improper certificate validation, potentially compromising confidentiality, integrity, and authenticity of secure communications.

Affected Systems

This vulnerability impacts the wolfSSL library. No specific version range is listed in the CNA data; however, the associated pull request (https://github.com/wolfSSL/wolfssl/pull/10223) indicates that the issue is addressed in a recent change. Systems that rely on wolfSSL for TLS or certificate validation without updating to the fixed version are affected.

Risk and Exploitability

The CVSS score of 6 denotes moderate severity. The EPSS score is unavailable, and the vulnerability is not listed in CISA KEV. The likely attack vector is through TLS connections where wolfSSL performs certificate verification. An attacker would need to supply a malicious certificate to a system using the affected library; upon processing, the CN is mistakenly checked as a DNS name, bypassing the issuer's name constraints. This bypass permits an otherwise disallowed certificate to be trusted, leading to potential data compromise or impersonation attacks.

Generated by OpenCVE AI on June 25, 2026 at 23:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade wolfSSL to the latest release that incorporates the fix referenced in the pull request 10223.
  • If upgrading immediately is not possible, restrict the use of the CN field for DNS names by ensuring certificates employ Subject Alternative Name (SAN) fields, and configure your application to validate only the SAN entries.
  • Deploy a secondary certificate validation layer or use an alternative TLS library that properly enforces name constraints until a patch is available.

Generated by OpenCVE AI on June 25, 2026 at 23:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
First Time appeared Wolfssl
Wolfssl wolfssl
Vendors & Products Wolfssl
Wolfssl wolfssl

Thu, 25 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description X.509 name constraint bypass via the Subject Common Name when treated as a DNS-type name. A certificate whose Subject CN violates an issuing CA's DNS name constraints could be accepted.
Title X.509 name constraint bypass via Subject CN treated as a DNS name
Weaknesses CWE-295
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wolfssl Wolfssl
cve-icon MITRE

Status: PUBLISHED

Assigner: wolfSSL

Published:

Updated: 2026-06-26T13:16:07.279Z

Reserved: 2026-04-20T21:59:52.635Z

Link: CVE-2026-6731

cve-icon Vulnrichment

Updated: 2026-06-26T13:14:43.040Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T01:45:16Z

Weaknesses
  • CWE-295

    Improper Certificate Validation