CVE-2026-5503
Received Received - Intake

Buffer Overflow in wolfSSL TLSX_EchChangeSNI Causes Memory Corruption

Vulnerability report for CVE-2026-5503, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-09

Last updated on: 2026-04-27

Assigner: wolfSSL Inc.

Description

In TLSX_EchChangeSNI, the ctx->extensions branch set extensions unconditionally even when TLSX_Find returned NULL. This caused TLSX_UseSNI to attach the attacker-controlled publicName to the shared WOLFSSL_CTX when no inner SNI was configured. TLSX_EchRestoreSNI then failed to clean it up because its removal was gated on serverNameX != NULL. The inner ClientHello was sized before the pollution but written after it, causing TLSX_SNI_Write to memcpy 255 bytes past the allocation boundary.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-09
Last Modified
2026-04-27
Generated
2026-07-06
AI Q&A
2026-04-10
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wolfssl wolfssl to 5.9.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability occurs in the TLSX_EchChangeSNI function where extensions are set unconditionally even if a lookup function (TLSX_Find) returns NULL. As a result, the TLSX_UseSNI function attaches an attacker-controlled publicName to a shared context (WOLFSSL_CTX) when no inner Server Name Indication (SNI) is configured. The cleanup function TLSX_EchRestoreSNI fails to remove this because it only removes the data if a certain condition (serverNameX != NULL) is met. This leads to a situation where the inner ClientHello message is sized before this 'pollution' but written after it, causing a buffer overflow where 255 bytes are copied beyond the allocated memory boundary.

Impact Analysis

This vulnerability can lead to a buffer overflow condition, which may allow an attacker to corrupt memory. Such memory corruption can cause crashes, denial of service, or potentially enable remote code execution depending on the context in which the vulnerable code is used.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5503. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart