CVE-2026-5188
Received Received - Intake
Integer Underflow in wolfSSL ASN.1 Parsing Causes Data Corruption

Publication date: 2026-04-10

Last updated on: 2026-04-29

Assigner: wolfSSL Inc.

Description
An integer underflow issue exists in wolfSSL when parsing the Subject Alternative Name (SAN) extension of X.509 certificates. A malformed certificate can specify an entry length larger than the enclosing sequence, causing the internal length counter to wrap during parsing. This results in incorrect handling of certificate data. The issue is limited to configurations using the original ASN.1 parsing implementation which is off by default.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5188
EUVD
EUVD-2026-21290
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wolfssl wolfssl to 5.9.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-191 The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an integer underflow issue in wolfSSL that occurs when parsing the Subject Alternative Name (SAN) extension of X.509 certificates.

A malformed certificate can specify an entry length that is larger than the enclosing sequence, which causes the internal length counter to wrap around during parsing.

This wrapping leads to incorrect handling of certificate data.

The issue only affects configurations using the original ASN.1 parsing implementation, which is off by default.

Impact Analysis

The vulnerability can cause incorrect parsing of certificate data, potentially leading to improper validation of certificates.

This may allow an attacker to exploit the flawed parsing to bypass security checks or cause unexpected behavior in applications relying on wolfSSL for certificate validation.

However, the impact is limited because the vulnerable parsing implementation is off by default and requires specific configurations.

Mitigation Strategies

To mitigate this vulnerability, ensure that your wolfSSL configuration does not use the original ASN.1 parsing implementation, as this issue is limited to that configuration which is off by default.

Additionally, apply the patch or update provided by wolfSSL that fixes the DecodeAltNames length check, as referenced in the official pull request.

Compliance Impact

The provided information does not specify how this integer underflow vulnerability in wolfSSL's ASN.1 parsing affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves an integer underflow in wolfSSL when parsing the Subject Alternative Name (SAN) extension of X.509 certificates, specifically in configurations using the original ASN.1 parsing implementation which is off by default.

Detection would require identifying if your system is using a vulnerable version of wolfSSL with the original ASN.1 parser enabled and then analyzing certificates for malformed SAN extensions that specify an entry length larger than the enclosing sequence.

No specific detection commands or tools are provided in the available resources.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5188. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart