CVE-2026-10592
Undergoing Analysis Undergoing Analysis - In Progress
Wildcard DNS SAN Bypasses CA Name-Constraint Validation

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: wolfSSL Inc.

Description
Certificates with wildcard DNS SANs (e.g. *.example.com) bypassed CA name-constraint checks. A certificate with a wildcard DNS SAN that should be rejected by the issuing CA's permitted/excluded DNS name constraints could be accepted.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-10592
EUVD
EUVD-2026-39549
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wolfssl wolfssl to 3.15.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability involves certificates with wildcard DNS SANs bypassing CA name-constraint checks, which means certificates that should be rejected could be accepted. Such improper validation can undermine the trustworthiness of certificate chains and the security guarantees they provide.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, improper certificate validation can potentially lead to unauthorized access or interception of sensitive data, which may impact compliance with data protection regulations that require strong security controls.

The fix described ensures compliance with RFC 5280 by correctly validating wildcard DNS entries, which helps maintain proper certificate validation and thus supports adherence to security best practices relevant to regulatory compliance.

Detection Guidance

This vulnerability involves improper handling of wildcard DNS Subject Alternative Names (SANs) in certificates, which bypasses CA name-constraint checks. Detection would require inspecting certificates for wildcard DNS SANs that violate permitted or excluded DNS name constraints.

Since the issue is related to certificate validation in the wolfSSL library, one way to detect it is to analyze certificate chains for wildcard DNS SANs that should be rejected but are accepted.

No specific commands are provided in the available resources to detect this vulnerability on your network or system.

Mitigation Strategies

To mitigate this vulnerability, update the wolfSSL library to the version that includes the fix described in the referenced pull request.

The fix ensures proper validation of wildcard DNS SANs according to RFC 5280, preventing acceptance of certificates that violate name constraints.

Applying this update will prevent potential security issues related to improper certificate validation.

Executive Summary

This vulnerability involves certificates that contain wildcard DNS Subject Alternative Names (SANs), such as *.example.com, bypassing the name-constraint checks enforced by the issuing Certificate Authority (CA). Normally, a CA uses permitted or excluded DNS name constraints to restrict which domain names a certificate can cover. However, due to this issue, a certificate with a wildcard DNS SAN that should have been rejected because it violated these constraints could instead be accepted.

Impact Analysis

The impact of this vulnerability is that certificates with wildcard DNS SANs might be issued or accepted even when they violate the CA's name constraints. This could allow an attacker to obtain a certificate that improperly covers domains they should not have access to, potentially enabling man-in-the-middle attacks, impersonation, or unauthorized interception of secure communications.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10592. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart