Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Non-default dual requirement (OPENSSL_EXTRA build flag plus X509_V_FLAG_PARTIAL_CHAIN runtime flag) maps to AC:H; attacker needs no privileges on the target system to present a crafted certificate chain.
Primary rating from Vendor (wolfSSL).
CVSS VectorVendor: wolfSSL
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Partial-chain certificate verification may accept chains that terminate at a peer-supplied, untrusted intermediate certificate rather than a trusted anchor. An attacker could present a chain that ends at an intermediate they control and have it accepted as valid. This affects the OpenSSL compatibility certificate-path-building path (wolfSSL_X509_verify_cert / X509_STORE, OPENSSL_EXTRA) when the X509_V_FLAG_PARTIAL_CHAIN verify flag is enabled.
AnalysisAI
Certificate chain validation bypass in wolfSSL's OpenSSL compatibility layer allows a network attacker to present a chain terminating at an untrusted intermediate they control, which is accepted as valid when X509_V_FLAG_PARTIAL_CHAIN is enabled. The flaw (CWE-295) resided in wolfSSL_X509_verify_cert, where the partial-chain fallback confirmed only that some intermediate was temporarily loaded into the CertManager during path building - not that the terminal certificate was in the caller's actual trust store. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Two explicit conditions must be simultaneously true: (1) wolfSSL must be compiled with OPENSSL_EXTRA to enable the OpenSSL compatibility certificate-path-building API (wolfSSL_X509_verify_cert / X509_STORE); and (2) the application must explicitly call X509_STORE_set_flags with X509_V_FLAG_PARTIAL_CHAIN - this flag is not set by default. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 6.0 (AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N) reflects a network-reachable integrity flaw with the AT:P (attack requirements present) metric confirming that a specific non-default condition - the X509_V_FLAG_PARTIAL_CHAIN flag - must be explicitly set by the application. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker operating a rogue TLS server or positioned for MITM constructs a certificate chain where the terminal certificate is an intermediate they generated and control, without registering it in the victim application's trust store. When the application connects and wolfSSL evaluates the chain with X509_V_FLAG_PARTIAL_CHAIN set, the pre-fix partial-chain fallback accepts the chain because some intermediate was temporarily loaded into the CertManager during path building, never verifying the terminal certificate against trusted entries. … |
| Remediation | Apply the upstream fix once it is included in an official wolfSSL release - monitor the wolfSSL security advisories page at https://www.wolfssl.com/docs/security-vulnerabilities/ for the patched tagged version, as the exact release version is not confirmed from the available data (only GitHub PR #10170 at https://github.com/wolfSSL/wolfssl/pull/10170 is available). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packe
The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to se
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which mak
The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a
The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Rated hig
The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before
In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this
A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto
Same weakness CWE-295 – Improper Certificate Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39486
GHSA-mhq8-94h7-mrgx