Platform
c
Component
wolfssl
Fixed in
5.11.0
CVE-2026-5188 describes an integer underflow vulnerability discovered in wolfSSL. This flaw arises when parsing the Subject Alternative Name (SAN) extension within X.509 certificates. Malicious actors can exploit this by providing certificates with oversized SAN entries, leading to incorrect data handling. The vulnerability impacts wolfSSL versions from 0.0.0 through 5.9.0 and is mitigated by upgrading to version 5.11.0.
The integer underflow vulnerability in wolfSSL allows attackers to craft malicious X.509 certificates that can bypass certificate validation checks. By specifying an entry length in the SAN extension that exceeds the allocated buffer, the parsing process can wrap around, leading to out-of-bounds reads or writes. This could potentially allow an attacker to inject arbitrary data into the application's memory, leading to denial of service, or, in more severe cases, remote code execution. The impact is particularly concerning for applications relying on wolfSSL for secure communication, such as TLS servers and clients, VPNs, and embedded devices.
CVE-2026-5188 was publicly disclosed on 2026-04-10. There is currently no public proof-of-concept (POC) available. The EPSS score is pending evaluation. It is not currently listed on the CISA KEV catalog. Given the nature of the vulnerability (certificate parsing) and the potential for bypassing security controls, it is prudent to prioritize remediation.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
The primary mitigation for CVE-2026-5188 is to upgrade to wolfSSL version 5.11.0 or later, which includes a fix for the integer underflow vulnerability. If upgrading is not immediately feasible, consider implementing stricter certificate validation checks to reject certificates with unusually large SAN entries. While not a complete fix, this can provide a temporary layer of defense. Additionally, review your application's certificate parsing logic to ensure it is robust against malformed certificates. After upgrading, confirm the fix by attempting to parse a crafted certificate with an oversized SAN entry; the parsing should fail gracefully without triggering an error or crash.
Update to version 5.11.0 or later of wolfSSL to mitigate the issue. The vulnerability was fixed by disabling the original ASN.1 parser and using the secure ASN.1 parser by default. Refer to the wolfSSL documentation for specific upgrade instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5188 is an integer underflow vulnerability in wolfSSL versions 0.0.0–5.9.0 that allows malformed X.509 certificates to trigger incorrect certificate data handling.
If you are using wolfSSL versions 0.0.0 through 5.9.0, you are potentially affected by this vulnerability. Check your installed version and upgrade if necessary.
Upgrade to wolfSSL version 5.11.0 or later to resolve the integer underflow vulnerability. Consider stricter certificate validation as a temporary measure.
Currently, there are no confirmed reports of active exploitation, but the vulnerability's nature warrants prompt remediation.
Refer to the wolfSSL security advisories on their official website for the most up-to-date information and guidance regarding CVE-2026-5188.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.