Skip to main content

wolfSSL CVE-2026-11999

| EUVDEUVD-2026-39496 HIGH
Improper Certificate Validation (CWE-295)
2026-06-25 wolfSSL GHSA-wrw6-8jh4-qvcx
8.2
CVSS 4.0 · Vendor: wolfSSL
Share

Severity by source

Vendor (wolfSSL) PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.9 MEDIUM

AC:H reflects the required non-default opensslextra manual-verification path plus a >100-deep crafted chain; PR:N/UI:N as no auth or interaction is needed; impact is integrity-only (I:H), no confidentiality or availability.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (wolfSSL).

CVSS VectorVendor: wolfSSL

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 25, 2026 - 18:20 vuln.today
Analysis Generated
Jun 25, 2026 - 18:20 vuln.today
CVE Published
Jun 25, 2026 - 16:56 cve.org
HIGH 8.2

DescriptionCVE.org

X.509 trust-chain bypass (path-depth exhaustion) in the OpenSSL compatibility certificate verifier (wolfSSL_X509_verify_cert()). This affects only builds with --enable-opensslextra whose application calls X509_verify_cert() with caller-supplied untrusted intermediates; for those users it is critical, otherwise the library is unaffected. Native wolfSSL TLS/DTLS usage is not impacted. X509_verify_cert() returned success based only on the last verified link rather than on reaching a trust anchor: when the supplied chain is deeper than the verifier's maximum path depth (default 100), path building runs out of depth while still walking untrusted intermediates and the chain is accepted even though it never reaches a configured trust anchor, allowing acceptance of an attacker-controlled certificate. The default TLS handshake (WOLFSSL_VERIFY_PEER) is not affected; only applications doing manual or deferred verification through this API are.

AnalysisAI

Certificate trust-chain bypass in wolfSSL allows attackers to have an attacker-controlled certificate accepted as valid, but only in builds compiled with --enable-opensslextra where the application calls the OpenSSL-compatibility X509_verify_cert() with caller-supplied untrusted intermediates. The verifier returned success based on the last verified link instead of confirming the chain reaches a configured trust anchor, so a chain deeper than the maximum path depth (default 100) is accepted without ever validating against a trusted root. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify app using opensslextra X509_verify_cert()
Delivery
Build chain of >100 untrusted intermediates
Exploit
Present chain to verifier
Execution
Path depth exhausted before trust anchor
Persist
Attacker certificate accepted as trusted
Impact
Impersonate peer / bypass authentication

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following concrete prerequisites: the wolfSSL build must be compiled with --enable-opensslextra (the OpenSSL compatibility layer), the application must call X509_verify_cert()/wolfSSL_X509_verify_cert() for manual or deferred verification rather than relying on the native TLS handshake, the application must pass caller-supplied untrusted intermediate certificates into that verification, and the attacker must supply a certificate chain deeper than the verifier's maximum path depth (default 100) that never reaches a configured trust anchor. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N) scores 8.2 (High): network-reachable, no privileges, no user interaction, but with an explicit Attack Requirement (AT:P) and impact limited to integrity (VI:H) - there is no direct confidentiality or availability impact in the base metrics. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can present a certificate chain to a vulnerable application (for example a malicious TLS server or a service feeding certificates into an app that defers verification) crafts a chain of more than 100 untrusted intermediates terminating in an attacker-controlled leaf and no legitimate trust anchor. The application calls X509_verify_cert() with these caller-supplied intermediates, path building exhausts its depth budget before reaching any trusted root, and the function returns success, causing the attacker certificate to be accepted as trusted. …
Remediation Patch available per vendor advisory; the upstream fix is available as wolfSSL PR https://github.com/wolfSSL/wolfssl/pull/10674, but a tagged patched release version is not independently confirmed in the supplied data, so monitor https://www.wolfssl.com/docs/security-vulnerabilities/ for the official fixed release and upgrade to it. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory systems running wolfSSL, specifically identifying deployments built with --enable-opensslextra flag and using OpenSSL-compatibility X509_verify_cert() functions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2014-0160 HIGH POC
7.5 Apr 07

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packe

CVE-2014-0195 MEDIUM POC
6.8 Jun 05

The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2016-0800 MEDIUM POC
5.9 Mar 01

The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to se

CVE-2015-0204 MEDIUM POC
4.3 Jan 09

The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k

CVE-2014-3566 LOW POC
3.4 Oct 15

The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which mak

CVE-2016-2107 MEDIUM POC
5.9 May 05

The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a

CVE-2015-1793 MEDIUM POC
6.5 Jul 09

The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly

CVE-2022-3602 HIGH
7.5 Nov 01

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Rated hig

CVE-2014-3470 MEDIUM
4.3 Jun 05

The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before

CVE-2017-3730 HIGH POC
7.5 May 04

In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this

CVE-2016-8610 HIGH
7.5 Nov 13

A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto

Share

CVE-2026-11999 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy