CVE-2026-10592
- EPSS 0.12%
- Veröffentlicht 25.06.2026 19:40:11
- Zuletzt bearbeitet 26.06.2026 18:55:14
Certificates with wildcard DNS SANs (e.g. *.example.com) bypassed CA name-constraint checks. A certificate with a wildcard DNS SAN that should be rejected by the issuing CA's permitted/excluded DNS name constraints could be accepted.
CVE-2026-11310
- EPSS 0.15%
- Veröffentlicht 25.06.2026 19:38:19
- Zuletzt bearbeitet 26.06.2026 18:54:51
X.509 trust-chain bypass in the OpenSSL compatibility certificate verifier (wolfSSL_X509_verify_cert()). This affects only builds with --enable-opensslextra (OPENSSL_EXTRA) and whose application validates certificates by calling X509_verify_cert() wi...
CVE-2026-12340
- EPSS 0.23%
- Veröffentlicht 25.06.2026 19:36:21
- Zuletzt bearbeitet 26.06.2026 18:54:32
Out-of-bounds heap read during SM2/SM3 certificate signature verification. When parsing a certificate with an SM3wSM2 signature, the Subject Key Identifier computation reads the trailing 65 bytes of the public key without checking that the key is at ...
CVE-2026-55958
- EPSS 0.27%
- Veröffentlicht 25.06.2026 19:35:21
- Zuletzt bearbeitet 26.06.2026 18:54:15
Out-of-bounds write in the Renesas TSIP TLS 1.3 transcript buffer. In tsip_StoreMessage() the capacity check guarding the fixed message bag (MSGBAG_SIZE) sets an error code but fails to return, so execution falls through to an XMEMCPY that writes pas...
CVE-2026-55960
- EPSS 0.15%
- Veröffentlicht 25.06.2026 19:31:55
- Zuletzt bearbeitet 26.06.2026 18:54:02
Un-negotiated Raw Public Key (RFC 7250) accepted in place of an X.509 certificate, bypassing chain validation. A raw public key has no chain, so ParseCertRelative() accepts it without performing any trust verification; it must therefore only be accep...
CVE-2026-55964
- EPSS 0.12%
- Veröffentlicht 25.06.2026 19:30:34
- Zuletzt bearbeitet 26.06.2026 18:53:47
Chain intermediate CA:TRUE without keyCertSign accepted as a signing CA. Intermediate CA certificates are required to have the keyCertSign key usage when a Key Usage extension is present, but chain-supplied temporary CAs (WOLFSSL_TEMP_CA) added while...
CVE-2026-11999
- EPSS 0.15%
- Veröffentlicht 25.06.2026 16:56:14
- Zuletzt bearbeitet 26.06.2026 16:50:28
X.509 trust-chain bypass (path-depth exhaustion) in the OpenSSL compatibility certificate verifier (wolfSSL_X509_verify_cert()). This affects only builds with --enable-opensslextra whose application calls X509_verify_cert() with caller-supplied untru...
CVE-2026-55967
- EPSS 0.11%
- Veröffentlicht 25.06.2026 16:53:14
- Zuletzt bearbeitet 26.06.2026 16:50:50
AES-GCM encryption/decryption with extremely large cumulative single message sizes (>64 GiB) were not properly rejected by the streaming APIs, allowing counter wrap, keystream reuse, and consequent plaintext recovery.
CVE-2026-55961
- EPSS 0.1%
- Veröffentlicht 25.06.2026 16:51:18
- Zuletzt bearbeitet 26.06.2026 16:50:36
wolfSSL_PKCS7_verify() returning success for a degenerate (certs-only) PKCS#7 object that contains no signer. Such an object has empty signerInfos, so the underlying signed-data verification succeeds without authenticating any content. The compatibil...
CVE-2026-6091
- EPSS 0.12%
- Veröffentlicht 25.06.2026 16:46:12
- Zuletzt bearbeitet 26.06.2026 16:50:56
Partial-chain certificate verification may accept chains that terminate at a peer-supplied, untrusted intermediate certificate rather than a trusted anchor. An attacker could present a chain that ends at an intermediate they control and have it accep...