CVE-2026-10592
Analyzed Analyzed - Analysis Complete

Wildcard DNS SAN Bypasses CA Name-Constraint Validation

Vulnerability report for CVE-2026-10592, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-06-26

Assigner: wolfSSL Inc.

Description

Certificates with wildcard DNS SANs (e.g. *.example.com) bypassed CA name-constraint checks. A certificate with a wildcard DNS SAN that should be rejected by the issuing CA's permitted/excluded DNS name constraints could be accepted.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-06-26
Generated
2026-07-16
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-14
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wolfssl wolfssl From 3.9.10 (inc) to 5.9.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability involves certificates with wildcard DNS SANs bypassing CA name-constraint checks, which means certificates that should be rejected could be accepted. Such improper validation can undermine the trustworthiness of certificate chains and the security guarantees they provide.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, improper certificate validation can potentially lead to unauthorized access or interception of sensitive data, which may impact compliance with data protection regulations that require strong security controls.

The fix described ensures compliance with RFC 5280 by correctly validating wildcard DNS entries, which helps maintain proper certificate validation and thus supports adherence to security best practices relevant to regulatory compliance.

Executive Summary

This vulnerability involves certificates that contain wildcard DNS Subject Alternative Names (SANs), such as *.example.com, bypassing the name-constraint checks enforced by the issuing Certificate Authority (CA). Normally, a CA uses permitted or excluded DNS name constraints to restrict which domain names a certificate can cover. However, due to this issue, a certificate with a wildcard DNS SAN that should have been rejected because it violated these constraints could instead be accepted.

Impact Analysis

The impact of this vulnerability is that certificates with wildcard DNS SANs might be issued or accepted even when they violate the CA's name constraints. This could allow an attacker to obtain a certificate that improperly covers domains they should not have access to, potentially enabling man-in-the-middle attacks, impersonation, or unauthorized interception of secure communications.

Detection Guidance

This vulnerability involves improper handling of wildcard DNS Subject Alternative Names (SANs) in certificates, which bypasses CA name-constraint checks. Detection would require inspecting certificates for wildcard DNS SANs that violate permitted or excluded DNS name constraints.

Since the issue is related to certificate validation in the wolfSSL library, one way to detect it is to analyze certificate chains for wildcard DNS SANs that should be rejected but are accepted.

No specific commands are provided in the available resources to detect this vulnerability on your network or system.

Mitigation Strategies

To mitigate this vulnerability, update the wolfSSL library to the version that includes the fix described in the referenced pull request.

The fix ensures proper validation of wildcard DNS SANs according to RFC 5280, preventing acceptance of certificates that violate name constraints.

Applying this update will prevent potential security issues related to improper certificate validation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10592. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart