CVE-2026-5188
Integer Underflow in wolfSSL ASN.1 Parsing Causes Data Corruption
Publication date: 2026-04-10
Last updated on: 2026-04-29
Assigner: wolfSSL Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wolfssl | wolfssl | to 5.9.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-191 | The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this integer underflow vulnerability in wolfSSL's ASN.1 parsing affects compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an integer underflow in wolfSSL when parsing the Subject Alternative Name (SAN) extension of X.509 certificates, specifically in configurations using the original ASN.1 parsing implementation which is off by default.
Detection would require identifying if your system is using a vulnerable version of wolfSSL with the original ASN.1 parser enabled and then analyzing certificates for malformed SAN extensions that specify an entry length larger than the enclosing sequence.
No specific detection commands or tools are provided in the available resources.
Can you explain this vulnerability to me?
This vulnerability is an integer underflow issue in wolfSSL that occurs when parsing the Subject Alternative Name (SAN) extension of X.509 certificates.
A malformed certificate can specify an entry length that is larger than the enclosing sequence, which causes the internal length counter to wrap around during parsing.
This wrapping leads to incorrect handling of certificate data.
The issue only affects configurations using the original ASN.1 parsing implementation, which is off by default.
How can this vulnerability impact me? :
The vulnerability can cause incorrect parsing of certificate data, potentially leading to improper validation of certificates.
This may allow an attacker to exploit the flawed parsing to bypass security checks or cause unexpected behavior in applications relying on wolfSSL for certificate validation.
However, the impact is limited because the vulnerable parsing implementation is off by default and requires specific configurations.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that your wolfSSL configuration does not use the original ASN.1 parsing implementation, as this issue is limited to that configuration which is off by default.
Additionally, apply the patch or update provided by wolfSSL that fixes the DecodeAltNames length check, as referenced in the official pull request.