Platform
c
Component
wolfssl
Fixed in
5.9.1
CVE-2026-5448 represents a Buffer Overflow vulnerability discovered within the wolfSSL library, specifically concerning the parsing of X.509 certificate date fields (notAfter/notBefore). Successful exploitation could potentially lead to denial of service or, in certain scenarios, arbitrary code execution. This vulnerability impacts versions of wolfSSL ranging from 0.0.0 up to and including 5.9.1, but is only triggered when directly calling the affected APIs. A patch is available in version 5.9.1.
CVE-2026-5448 affects wolfSSL, specifically the wolfSSLX509notAfter and wolfSSLX509notBefore functions. This vulnerability is a buffer overflow that can occur when parsing date fields from crafted X.509 certificates. Importantly, this vulnerability does not affect TLS operations or certificate verification within wolfSSL. The risk is limited to applications directly calling these two compatibility layer APIs. An attacker could potentially exploit this vulnerability to cause a denial-of-service or, in more complex scenarios, compromise application integrity.
Exploitation of CVE-2026-5448 requires an application to directly call the wolfSSLX509notAfter or wolfSSLX509notBefore functions with a specially crafted X.509 certificate containing excessively long date fields. Because the vulnerability does not affect standard TLS operations, an attacker would need to control the certificate input to the application to exploit it. This could occur if the application downloads certificates from an untrusted source or if an attacker can inject a malicious certificate into the data stream. The lack of a KEV (Knowledge Enhancement Vector) indicates limited information regarding exploitation.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
The primary mitigation for CVE-2026-5448 is to upgrade to wolfSSL version 5.9.1 or later. This version contains the fix that prevents the buffer overflow. If an immediate upgrade is not possible, it is recommended to avoid direct use of the wolfSSLX509notAfter and wolfSSLX509notBefore functions in application code. Instead, utilize wolfSSL's higher-level functions that securely handle certificate verification. Monitoring certificate sources and validating certificate integrity can also help mitigate the risk.
Actualice a la versión 5.9.1 o superior de wolfSSL para mitigar el riesgo de desbordamiento de búfer. La actualización corrige la vulnerabilidad al validar correctamente la longitud de los campos de fecha en los certificados X.509, previniendo la ejecución de código malicioso.
Vulnerability analysis and critical alerts directly to your inbox.
Not directly. The vulnerability does not affect standard TLS operations in wolfSSL, so web applications using wolfSSL for TLS are not vulnerable unless they directly use the affected functions.
Avoid direct use of wolfSSLX509notAfter and wolfSSLX509notBefore. Use wolfSSL's higher-level functions for certificate verification.
Currently, there are no specific tools to detect this vulnerability. Manual code review is recommended to identify direct use of the affected functions.
KEV (Knowledge Enhancement Vector) is an identifier providing information about a vulnerability's exploitation. The absence of a KEV indicates limited information regarding exploitation.
Check the wolfSSL version used in your project. If it is older than version 5.9.1, it is vulnerable and should be updated.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.