CVE-2026-3547
Received Received - Intake
Out-of-Bounds Read in wolfSSL ALPN Causes Denial of Service

Publication date: 2026-03-19

Last updated on: 2026-03-26

Assigner: wolfSSL Inc.

Description
Out-of-bounds read in ALPN parsing due to incomplete validation. wolfSSL 5.8.4 and earlier contained an out-of-bounds read in ALPN handling when built with ALPN enabled (HAVE_ALPN / --enable-alpn). A crafted ALPN protocol list could trigger an out-of-bounds read, leading to a potential process crash (denial of service). Note that ALPN is disabled by default, but is enabled for these 3rd party compatibility features: enable-apachehttpd, enable-bind, enable-curl, enable-haproxy, enable-hitch, enable-lighty, enable-jni, enable-nginx, enable-quic.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-19
EPSS Evaluated
2026-06-14
NVD
CVE-2026-3547
EUVD
EUVD-2026-13166
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wolfssl wolfssl to 5.9.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The immediate mitigation step is to upgrade wolfSSL to version 5.9.0 or later, where the vulnerability has been fixed by correcting the loop boundary condition in ALPN parsing.

Alternatively, if upgrading is not immediately possible, disabling ALPN support in wolfSSL (which is disabled by default) or disabling any features that enable ALPN (such as enable-apachehttpd, enable-bind, enable-curl, enable-haproxy, enable-hitch, enable-lighty, enable-jni, enable-nginx, enable-quic) can mitigate the risk.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves an out-of-bounds read in ALPN parsing within wolfSSL when ALPN is enabled. Detection would typically involve monitoring for process crashes or denial of service symptoms related to ALPN protocol handling.

Since the vulnerability triggers on a crafted ALPN protocol list, network detection could involve capturing and analyzing TLS handshake packets to identify suspicious or malformed ALPN protocol lists.

However, no specific detection commands or tools are provided in the available information.

Executive Summary

This vulnerability is an out-of-bounds read in the ALPN (Application-Layer Protocol Negotiation) parsing code of wolfSSL version 5.8.4 and earlier when ALPN is enabled. It occurs because the validation of the ALPN protocol list is incomplete, allowing a crafted ALPN protocol list to cause the software to read memory outside the intended bounds.

Specifically, the issue arises from an incorrect loop boundary condition in the code that processes the ALPN list, which leads to reading beyond the allocated memory. This can cause the process to crash.

Impact Analysis

The primary impact of this vulnerability is a potential denial of service (DoS) due to a process crash triggered by the out-of-bounds read in ALPN handling.

Since ALPN is disabled by default, the risk applies mainly when wolfSSL is built with ALPN enabled, which is the case for certain third-party compatibility features such as Apache HTTPD, Bind, Curl, HAProxy, Hitch, Lighty, JNI, Nginx, and QUIC.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3547. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart