Full Report
wolfSSL security advisory (AV26-344)
Analysis Summary
# Vulnerability: wolfSSL Improper Certificate Validation via Missing Digest Checks
## CVE Details
- **CVE ID:** CVE-2026-5194
- **CVSS Score:** 9.3 (Critical)
- **CWE:** CWE-295 (Improper Certificate Validation)
## Affected Systems
- **Products:** wolfSSL (embedded SSL/TLS library)
- **Versions:** Versions 3.12.0 to all versions prior to 5.9.1
- **Configurations:** Systems performing certificate validation, specifically those verifying signed digests.
## Vulnerability Description
The vulnerability stems from missing hash/digest size and Object Identifier (OID) checks during the certificate validation process. Specifically, the library fails to properly validate the digest size and associated OID when processing digital signatures. This flaw allows an attacker to potentially bypass certificate validation mechanisms by providing digests that do not conform to expected cryptographic standards, leading to the acceptance of unauthorized or malicious certificates.
## Exploitation
- **Status:** Not explicitly reported as exploited in the wild (based on advisory date); however, the critical rating suggests high reliability for theoretical exploitation.
- **Complexity:** Medium (Requires crafting a malformed certificate that exploits the missing OID/size checks).
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Potential for Man-in-the-Middle (MitM) attacks to decrypt traffic).
- **Integrity:** High (Potential to spoof identity and inject malicious data).
- **Availability:** Low (Primary impact is on trust and authentication rather than service uptime).
## Remediation
### Patches
- **wolfSSL version 5.9.1** or later addresses this vulnerability. Users are strongly encouraged to update to the latest stable release.
### Workarounds
- There are no listed configuration-based workarounds; updating the library source code to the patched version is the recommended course of action.
## Detection
- **Indicators of compromise:** Presence of TLS/SSL certificates in network traffic that use unexpected or anomalous digest OIDs that would typically be rejected by strict validation.
- **Detection methods and tools:**
- Internal audit of binary versions for embedded devices using wolfSSL.
- Static Analysis Security Testing (SAST) of application source code to identify vulnerable wolfSSL library inclusions.
## References
- **Vendor Advisory:** hxxps[://]github[.]com/wolfSSL/wolfssl/releases
- **GitHub Security Advisory:** hxxps[://]github[.]com/advisories/GHSA-f5h9-5q52-qrx7
- **CWE-295:** hxxps[://]cwe[.]mitre[.]org/data/definitions/295[.]html
- **NVD Detail:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2026-5194