CVE-2026-2646

| EUVD-2026-13137 MEDIUM
2026-03-19 wolfSSL
5.0
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None

Lifecycle Timeline

3
Analysis Generated
Mar 19, 2026 - 18:00 vuln.today
EUVD ID Assigned
Mar 19, 2026 - 18:00 euvd
EUVD-2026-13137
CVE Published
Mar 19, 2026 - 17:25 nvd
MEDIUM 5.0

Tags

Buffer Overflow Deserialization Heap Overflow

Description

A heap-buffer-overflow vulnerability exists in wolfSSL's wolfSSL_d2i_SSL_SESSION() function. When deserializing session data with SESSION_CERTS enabled, certificate and session id lengths are read from an untrusted input without bounds validation, allowing an attacker to overflow fixed-size buffers and corrupt heap memory. A maliciously crafted session would need to be loaded from an external source to trigger this vulnerability. Internal sessions were not vulnerable.

Analysis

Heap buffer overflow in wolfSSL's session deserialization function allows local attackers with low privileges to corrupt heap memory by crafting malicious session data with invalid certificate lengths. The vulnerability affects systems with SESSION_CERTS enabled that load external session data, requiring user interaction or specific configuration to exploit. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

25
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +25
POC: 0

Share

CVE-2026-2646 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy