CVE-2026-5503
Received Received - Intake
Buffer Overflow in wolfSSL TLSX_EchChangeSNI Causes Memory Corruption

Publication date: 2026-04-09

Last updated on: 2026-04-27

Assigner: wolfSSL Inc.

Description
In TLSX_EchChangeSNI, the ctx->extensions branch set extensions unconditionally even when TLSX_Find returned NULL. This caused TLSX_UseSNI to attach the attacker-controlled publicName to the shared WOLFSSL_CTX when no inner SNI was configured. TLSX_EchRestoreSNI then failed to clean it up because its removal was gated on serverNameX != NULL. The inner ClientHello was sized before the pollution but written after it, causing TLSX_SNI_Write to memcpy 255 bytes past the allocation boundary.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5503
EUVD
EUVD-2026-21234
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wolfssl wolfssl to 5.9.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in the TLSX_EchChangeSNI function where extensions are set unconditionally even if a lookup function (TLSX_Find) returns NULL. As a result, the TLSX_UseSNI function attaches an attacker-controlled publicName to a shared context (WOLFSSL_CTX) when no inner Server Name Indication (SNI) is configured. The cleanup function TLSX_EchRestoreSNI fails to remove this because it only removes the data if a certain condition (serverNameX != NULL) is met. This leads to a situation where the inner ClientHello message is sized before this 'pollution' but written after it, causing a buffer overflow where 255 bytes are copied beyond the allocated memory boundary.

Impact Analysis

This vulnerability can lead to a buffer overflow condition, which may allow an attacker to corrupt memory. Such memory corruption can cause crashes, denial of service, or potentially enable remote code execution depending on the context in which the vulnerable code is used.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5503. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart