Skip to main content

wolfSSL CVE-2026-55964

| EUVDEUVD-2026-39544 MEDIUM
Improper Certificate Validation (CWE-295)
2026-06-25 wolfSSL GHSA-68g3-7fhp-7rg3
6.3
CVSS 4.0 · Vendor: wolfSSL
Share

Severity by source

Vendor (wolfSSL) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.7 LOW

Network vector applies as chain is supplied over TLS, but AC:H reflects the prerequisite MITM/chain-control position and non-default build configuration; integrity-only, limited impact, no scope change.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (wolfSSL).

CVSS VectorVendor: wolfSSL

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 25, 2026 - 20:23 vuln.today
Analysis Generated
Jun 25, 2026 - 20:23 vuln.today
CVE Published
Jun 25, 2026 - 19:30 cve.org
MEDIUM 6.3

DescriptionCVE.org

Chain intermediate CA:TRUE without keyCertSign accepted as a signing CA. Intermediate CA certificates are required to have the keyCertSign key usage when a Key Usage extension is present, but chain-supplied temporary CAs (WOLFSSL_TEMP_CA) added while building a certificate path were previously exempted from this check, so an intermediate asserting CA:TRUE but lacking keyCertSign was accepted as a signing CA. The check now applies to chain-supplied temporary CAs as well; only operator-loaded root certificates (WOLFSSL_USER_CA) and self-signed roots remain exempt. Per RFC 5280 an absent Key Usage extension implies all usages, so the requirement is enforced only when the extension is actually present (extKeyUsageSet). Affects the OpenSSL-compatibility certificate-path-building path (X509_verify_cert / X509_STORE, OPENSSL_EXTRA/OPENSSL_ALL), where untrusted chain intermediates are added as temporary CAs; native (non-OpenSSL-compat) certificate verification does not create temporary CAs and is unaffected. Within those builds, the check applies unless ALLOW_INVALID_CERTSIGN is defined.

AnalysisAI

Certificate chain validation bypass in wolfSSL's OpenSSL-compatibility layer permits a crafted intermediate CA certificate asserting CA:TRUE but missing the keyCertSign key usage bit to be accepted as a valid signing CA during path building. Affected deployments are those compiled with OPENSSL_EXTRA or OPENSSL_ALL that use the X509_verify_cert/X509_STORE API; native wolfSSL verification is entirely unaffected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify wolfSSL OpenSSL-compat build via fingerprinting
Delivery
Gain MITM or chain-supply position on TLS session
Exploit
Present crafted intermediate cert (CA:TRUE, Key Usage extension present, keyCertSign bit absent)
Execution
Intermediate registered as WOLFSSL_TEMP_CA without keyCertSign check
Persist
Chain validation accepts intermediate as signing CA
Impact
Present attacker-signed end-entity cert as trusted

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following to be simultaneously true: (1) the target application uses wolfSSL compiled with OPENSSL_EXTRA or OPENSSL_ALL; (2) the application uses X509_verify_cert or X509_STORE for certificate path building (the OpenSSL-compat path); (3) the build does NOT define ALLOW_INVALID_CERTSIGN; and (4) the attacker can supply a crafted untrusted chain intermediate - either via a MITM position on a TLS connection where the peer provides its own chain, or by controlling a subordinate CA that issues certificates consumed by the verifier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.3 with vector AV:N/AC:L/AT:P/PR:N/UI:N reflects a medium-severity flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a MITM position on a TLS connection to an application using wolfSSL's OpenSSL-compat verification path presents a crafted certificate chain containing an intermediate certificate that asserts CA:TRUE in the Basic Constraints extension but includes a Key Usage extension that does not set the keyCertSign bit. The vulnerable AddCA() logic accepts this intermediate as WOLFSSL_TEMP_CA without checking the keyCertSign requirement, allowing the attacker to then present an end-entity certificate signed by this malformed intermediate that passes chain validation. …
Remediation The upstream fix is available as GitHub PR #10702 (https://github.com/wolfSSL/wolfssl/pull/10702); a tagged release version containing this fix is not independently confirmed from available data - consult the wolfSSL security advisory at https://www.wolfssl.com/docs/security-vulnerabilities/ for the confirmed patched release and upgrade to that version. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2014-0160 HIGH POC
7.5 Apr 07

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packe

CVE-2014-0195 MEDIUM POC
6.8 Jun 05

The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2016-0800 MEDIUM POC
5.9 Mar 01

The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to se

CVE-2015-0204 MEDIUM POC
4.3 Jan 09

The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k

CVE-2014-3566 LOW POC
3.4 Oct 15

The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which mak

CVE-2016-2107 MEDIUM POC
5.9 May 05

The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a

CVE-2015-1793 MEDIUM POC
6.5 Jul 09

The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly

CVE-2022-3602 HIGH
7.5 Nov 01

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Rated hig

CVE-2014-3470 MEDIUM
4.3 Jun 05

The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before

CVE-2017-3730 HIGH POC
7.5 May 04

In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this

CVE-2016-8610 HIGH
7.5 Nov 13

A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto

Share

CVE-2026-55964 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy