Platform
c
Component
wolfssl
Fixed in
5.9.1
CVE-2026-5393 describes an out-of-bounds read vulnerability discovered in wolfSSL. This flaw arises during the processing of dual-algorithm CertificateVerify messages, specifically when the software is compiled with the --enable-experimental and --enable-dual-alg-certs flags. Affected versions include those from 0.0.0 up to and including 5.9.1; upgrading to version 5.9.1 resolves the issue.
An attacker exploiting this vulnerability could potentially trigger a denial-of-service (DoS) condition by sending a specially crafted CertificateVerify message. The out-of-bounds read could lead to application crashes or unexpected behavior. While the direct impact on data confidentiality or integrity is not explicitly stated, the ability to crash the wolfSSL library could disrupt secure communication channels relying on it. The experimental and dual-algorithm certificate features suggest this vulnerability might be relevant to specific, less common cryptographic implementations, but the potential for disruption remains significant.
CVE-2026-5393 was publicly disclosed on 2026-04-09. There is currently no public proof-of-concept (PoC) code available. The vulnerability's reliance on experimental features and specific build flags suggests a lower probability of immediate widespread exploitation, but the potential for targeted attacks remains. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
The primary mitigation for CVE-2026-5393 is to upgrade to wolfSSL version 5.9.1 or later. If an immediate upgrade is not feasible due to compatibility concerns or testing requirements, consider disabling the --enable-experimental and --enable-dual-alg-certs flags during compilation. This will prevent the vulnerable code path from being used, although it will also disable the dual-algorithm certificate functionality. Carefully review application dependencies and test thoroughly after any configuration changes. After upgrading, confirm the fix by attempting to process a known-malformed dual-algorithm CertificateVerify message and verifying that the application does not crash or exhibit unexpected behavior.
Update to version 5.9.1 or later of wolfSSL. This version corrects the out-of-bounds read vulnerability in the DoTls13CertificateVerify function when processing dual-algorithm certificate verify messages. Ensure you do not enable experimental and dual-algorithm options unless absolutely necessary.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5393 is a vulnerability in wolfSSL where a crafted CertificateVerify message can trigger an out-of-bounds read, potentially leading to a denial-of-service. It affects versions 0.0.0–5.9.1 when built with specific experimental flags.
You are affected if you use wolfSSL versions 0.0.0 through 5.9.1 and have enabled the --enable-experimental and --enable-dual-alg-certs build flags. Check your build configurations to confirm.
Upgrade to wolfSSL version 5.9.1 or later. Alternatively, disable the --enable-experimental and --enable-dual-alg-certs flags during compilation, but be aware this will disable related functionality.
There is currently no evidence of active exploitation, but the potential for targeted attacks remains. Monitor your systems and stay informed about any new developments.
Refer to the official wolfSSL security advisories on their website for the most up-to-date information and guidance regarding CVE-2026-5393.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.