Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
An integer underflow issue exists in wolfSSL when parsing the Subject Alternative Name (SAN) extension of X.509 certificates. A malformed certificate can specify an entry length larger than the enclosing sequence, causing the internal length counter to wrap during parsing. This results in incorrect handling of certificate data. The issue is limited to configurations using the original ASN.1 parsing implementation which is off by default.
AnalysisAI
Integer underflow in wolfSSL's ASN.1 certificate parser allows remote attackers to trigger information disclosure and potential memory access violations when processing malformed X.509 certificates with oversized Subject Alternative Name extensions. The vulnerability affects wolfSSL versions up to 5.9.0 but only impacts systems using the non-default original ASN.1 parsing implementation; no public exploit code or active exploitation has been identified at time of analysis.
Technical ContextAI
The vulnerability exists in wolfSSL's ASN.1 parsing implementation used to process X.509 certificate extensions, specifically the Subject Alternative Name (SAN) field. When parsing ASN.1 DER-encoded data, the parser maintains an internal length counter to track remaining bytes in a sequence. A malformed certificate can specify an entry length that exceeds the enclosing sequence's declared length, causing this counter to underflow (wrap around due to unsigned integer arithmetic, CWE-191). This integer underflow leads to incorrect buffer boundary calculations during subsequent parsing operations, potentially allowing out-of-bounds memory reads. The flaw is confined to systems explicitly using the original ASN.1 parser rather than the default implementation, significantly limiting real-world exposure.
RemediationAI
Upgrade to wolfSSL version 5.10.0 or later, which includes the fix for the ASN.1 integer underflow. If immediate patching is not feasible, disable or avoid explicit use of the original ASN.1 parsing implementation (the default configuration is safe). No workaround is available for systems requiring the legacy parser. Refer to the wolfSSL GitHub repository (https://github.com/wolfSSL/wolfssl/pull/10024) for technical details and verification that the fix has been applied in your deployed version.
wolfSSL prior to version 3.12.2 provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange i
A specially crafted x509 certificate can cause a single out of bounds byte overwrite in wolfSSL through 3.10.2 resulting
wolfSSL (formerly CyaSSL) before 3.6.8 allows remote attackers to cause a denial of service (resource consumption or tra
In wolfSSL before 5.5.1, malicious clients can cause a buffer overflow during a TLS 1.3 handshake. Rated high severity (
An issue was discovered in wolfSSL before 5.5.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploita
wolfSSL 4.3.0 has mulmod code in wc_ecc_mulmod_ex in ecc.c that does not properly resist timing side-channel attacks. Ra
In wolfSSL 4.1.0 through 4.2.0c, there are missing sanity checks of memory accesses in parsing ASN.1 certificate data wh
An issue was discovered in wolfSSL before 4.5.0, when single precision is not employed. Rated high severity (CVSS 7.0).
wolfSSL before 4.5.0 mishandles TLS 1.3 server data in the WAIT_CERT_CR state, within SanityCheckTls13MsgReceived() in t
wolfSSL (formerly CyaSSL) before 3.6.8 does not properly handle faults associated with the Chinese Remainder Theorem (CR
An issue was discovered in wolfSSL before 5.5.0 (when --enable-session-ticket is used); however, only version 5.3.0 is e
wolfSSL 4.6.x through 4.7.x before 4.8.0 does not produce a failure outcome when the serial number in an OCSP request di
Same weakness CWE-191 – Integer Underflow
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21290
GHSA-9qgc-pcpx-g38q