CVE-2026-10098
Received Received - Intake
OCSP Serial Number Length Confusion in wolfSSL

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: wolfSSL Inc.

Description
OCSP CertID serial-number length-confusion in wolfSSL_OCSP_resp_find_status allows a same-issuer SingleResponse whose serial is a prefix of the target serial to be reported as the revocation status of a different certificate. The lookup compared serial-number bytes without first requiring the two serial numbers to be of equal length, so a SingleResponse for one certificate (same issuer) whose serial is a prefix of the target's serial would match, returning the wrong certificate's status. The fix requires the serial lengths to be equal before comparing the serial bytes.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-10098
EUVD
EUVD-2026-39578
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wolfssl wolfssl *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves a flaw in the OCSP (Online Certificate Status Protocol) implementation within wolfSSL, specifically in the function wolfSSL_OCSP_resp_find_status. The issue arises because the code compares certificate serial numbers without first checking if their lengths are equal. As a result, a SingleResponse for one certificate whose serial number is a prefix of another certificate's serial number (issued by the same issuer) can be mistakenly matched and reported as the revocation status of the other certificate. This means the system might return the wrong certificate's revocation status.

The fix for this vulnerability requires that the serial numbers must be of equal length before their bytes are compared, preventing incorrect matches.

Impact Analysis

This vulnerability can lead to incorrect reporting of certificate revocation status. Specifically, a certificate might be incorrectly considered revoked or valid based on the status of a different certificate with a similar serial number prefix. This can undermine the trustworthiness of certificate validation processes, potentially allowing revoked certificates to be accepted or valid certificates to be rejected.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10098. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart