Platform
c
Component
wolfssl
Opgelost in
5.9.1
CVE-2026-5393 describes an out-of-bounds read vulnerability discovered in wolfSSL. This flaw arises during the processing of dual-algorithm CertificateVerify messages, specifically when the software is compiled with the --enable-experimental and --enable-dual-alg-certs flags. Affected versions include those from 0.0.0 up to and including 5.9.1; upgrading to version 5.9.1 resolves the issue.
An attacker exploiting this vulnerability could potentially trigger a denial-of-service (DoS) condition by sending a specially crafted CertificateVerify message. The out-of-bounds read could lead to application crashes or unexpected behavior. While the direct impact on data confidentiality or integrity is not explicitly stated, the ability to crash the wolfSSL library could disrupt secure communication channels relying on it. The experimental and dual-algorithm certificate features suggest this vulnerability might be relevant to specific, less common cryptographic implementations, but the potential for disruption remains significant.
CVE-2026-5393 was publicly disclosed on 2026-04-09. There is currently no public proof-of-concept (PoC) code available. The vulnerability's reliance on experimental features and specific build flags suggests a lower probability of immediate widespread exploitation, but the potential for targeted attacks remains. The vulnerability is not currently listed on the CISA KEV catalog.
Applications and systems utilizing wolfSSL versions 0.0.0 through 5.9.1 that have been compiled with the --enable-experimental and --enable-dual-alg-certs flags are at risk. This includes embedded systems, IoT devices, and any software relying on wolfSSL for secure communication where these specific build options are enabled.
• linux / server:
ps aux | grep wolfSSL• c / generic web:
Inspect wolfSSL build configurations for the presence of --enable-experimental and --enable-dual-alg-certs flags. Review application logs for any errors related to certificate verification or memory access.
disclosure
Exploit Status
EPSS
0.04% (13% percentiel)
CISA SSVC
The primary mitigation for CVE-2026-5393 is to upgrade to wolfSSL version 5.9.1 or later. If an immediate upgrade is not feasible due to compatibility concerns or testing requirements, consider disabling the --enable-experimental and --enable-dual-alg-certs flags during compilation. This will prevent the vulnerable code path from being used, although it will also disable the dual-algorithm certificate functionality. Carefully review application dependencies and test thoroughly after any configuration changes. After upgrading, confirm the fix by attempting to process a known-malformed dual-algorithm CertificateVerify message and verifying that the application does not crash or exhibit unexpected behavior.
Actualice a la versión 5.9.1 o posterior de wolfSSL. Esta versión corrige la vulnerabilidad de lectura fuera de límites en la función DoTls13CertificateVerify al procesar mensajes de verificación de certificado de doble algoritmo. Asegúrese de no habilitar las opciones experimentales y de doble algoritmo a menos que sean absolutamente necesarias.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-5393 is a vulnerability in wolfSSL where a crafted CertificateVerify message can trigger an out-of-bounds read, potentially leading to a denial-of-service. It affects versions 0.0.0–5.9.1 when built with specific experimental flags.
You are affected if you use wolfSSL versions 0.0.0 through 5.9.1 and have enabled the --enable-experimental and --enable-dual-alg-certs build flags. Check your build configurations to confirm.
Upgrade to wolfSSL version 5.9.1 or later. Alternatively, disable the --enable-experimental and --enable-dual-alg-certs flags during compilation, but be aware this will disable related functionality.
There is currently no evidence of active exploitation, but the potential for targeted attacks remains. Monitor your systems and stay informed about any new developments.
Refer to the official wolfSSL security advisories on their website for the most up-to-date information and guidance regarding CVE-2026-5393.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.