Wolfssl

Wolfssl

143 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
  • EPSS 0.12%
  • Veröffentlicht 25.06.2026 19:40:11
  • Zuletzt bearbeitet 26.06.2026 18:55:14

Certificates with wildcard DNS SANs (e.g. *.example.com) bypassed CA name-constraint checks. A certificate with a wildcard DNS SAN that should be rejected by the issuing CA's permitted/excluded DNS name constraints could be accepted.

Medienbericht
  • EPSS 0.15%
  • Veröffentlicht 25.06.2026 19:38:19
  • Zuletzt bearbeitet 26.06.2026 18:54:51

X.509 trust-chain bypass in the OpenSSL compatibility certificate verifier (wolfSSL_X509_verify_cert()). This affects only builds with --enable-opensslextra (OPENSSL_EXTRA) and whose application validates certificates by calling X509_verify_cert() wi...

  • EPSS 0.23%
  • Veröffentlicht 25.06.2026 19:36:21
  • Zuletzt bearbeitet 26.06.2026 18:54:32

Out-of-bounds heap read during SM2/SM3 certificate signature verification. When parsing a certificate with an SM3wSM2 signature, the Subject Key Identifier computation reads the trailing 65 bytes of the public key without checking that the key is at ...

Medienbericht
  • EPSS 0.27%
  • Veröffentlicht 25.06.2026 19:35:21
  • Zuletzt bearbeitet 26.06.2026 18:54:15

Out-of-bounds write in the Renesas TSIP TLS 1.3 transcript buffer. In tsip_StoreMessage() the capacity check guarding the fixed message bag (MSGBAG_SIZE) sets an error code but fails to return, so execution falls through to an XMEMCPY that writes pas...

Medienbericht
  • EPSS 0.15%
  • Veröffentlicht 25.06.2026 19:31:55
  • Zuletzt bearbeitet 26.06.2026 18:54:02

Un-negotiated Raw Public Key (RFC 7250) accepted in place of an X.509 certificate, bypassing chain validation. A raw public key has no chain, so ParseCertRelative() accepts it without performing any trust verification; it must therefore only be accep...

  • EPSS 0.12%
  • Veröffentlicht 25.06.2026 19:30:34
  • Zuletzt bearbeitet 26.06.2026 18:53:47

Chain intermediate CA:TRUE without keyCertSign accepted as a signing CA. Intermediate CA certificates are required to have the keyCertSign key usage when a Key Usage extension is present, but chain-supplied temporary CAs (WOLFSSL_TEMP_CA) added while...

Medienbericht
  • EPSS 0.15%
  • Veröffentlicht 25.06.2026 16:56:14
  • Zuletzt bearbeitet 26.06.2026 16:50:28

X.509 trust-chain bypass (path-depth exhaustion) in the OpenSSL compatibility certificate verifier (wolfSSL_X509_verify_cert()). This affects only builds with --enable-opensslextra whose application calls X509_verify_cert() with caller-supplied untru...

  • EPSS 0.11%
  • Veröffentlicht 25.06.2026 16:53:14
  • Zuletzt bearbeitet 26.06.2026 16:50:50

AES-GCM encryption/decryption with extremely large cumulative single message sizes (>64 GiB) were not properly rejected by the streaming APIs, allowing counter wrap, keystream reuse, and consequent plaintext recovery.

Medienbericht
  • EPSS 0.1%
  • Veröffentlicht 25.06.2026 16:51:18
  • Zuletzt bearbeitet 26.06.2026 16:50:36

wolfSSL_PKCS7_verify() returning success for a degenerate (certs-only) PKCS#7 object that contains no signer. Such an object has empty signerInfos, so the underlying signed-data verification succeeds without authenticating any content. The compatibil...

  • EPSS 0.12%
  • Veröffentlicht 25.06.2026 16:46:12
  • Zuletzt bearbeitet 26.06.2026 16:50:56

Partial-chain certificate verification may accept chains that terminate at a peer-supplied, untrusted intermediate certificate rather than a trusted anchor. An attacker could present a chain that ends at an intermediate they control and have it accep...