CVE-2026-55958
Analyzed Analyzed - Analysis Complete

Out-of-Bounds Write in Renesas TSIP TLS 1.3 Client

Vulnerability report for CVE-2026-55958, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-06-26

Assigner: wolfSSL Inc.

Description

Out-of-bounds write in the Renesas TSIP TLS 1.3 transcript buffer. In tsip_StoreMessage() the capacity check guarding the fixed message bag (MSGBAG_SIZE) sets an error code but fails to return, so execution falls through to an XMEMCPY that writes past the end of the buffer once the accumulated TLS 1.3 handshake transcript exceeds MSGBAG_SIZE (8 KB), corrupting adjacent heap state and potentially causing a remote denial of service crash. The bag is sized to hold a normal handshake, so this is reached only by an unusually large but valid certificate chain, or by a malicious or man-in-the-middle server sending an oversized handshake message to a client that does not strictly verify the chain. This only affects builds using the Renesas TSIP TLS port (WOLFSSL_RENESAS_TSIP_TLS) as a TLS 1.3 client on Renesas MCUs with TSIP hardware enabled, and is rated High within those builds. All other configurations are unaffected.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-06-26
Generated
2026-07-16
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-14
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wolfssl wolfssl From 5.4.0 (inc) to 5.9.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-393 A function or operation returns an incorrect return value or status code that does not indicate the true result of execution, causing the product to modify its behavior based on the incorrect result.
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an out-of-bounds write in the Renesas TSIP TLS 1.3 transcript buffer. Specifically, in the function tsip_StoreMessage(), a capacity check that is supposed to prevent writing beyond the fixed message bag size (8 KB) sets an error code but does not stop execution. As a result, the code continues and performs a memory copy (XMEMCPY) that writes past the end of the buffer when the TLS 1.3 handshake transcript exceeds the bag size. This corrupts adjacent heap memory and can cause a remote denial of service crash.

The issue occurs only when an unusually large but valid certificate chain is used or when a malicious or man-in-the-middle server sends an oversized handshake message to a client that does not strictly verify the certificate chain. It affects only builds using the Renesas TSIP TLS port as a TLS 1.3 client on Renesas MCUs with TSIP hardware enabled.

Impact Analysis

This vulnerability can lead to corruption of adjacent heap memory and potentially cause a remote denial of service (DoS) crash on affected devices. An attacker could exploit this by sending an oversized TLS 1.3 handshake message, causing the client to crash or behave unpredictably.

The impact is limited to specific builds using the Renesas TSIP TLS port as a TLS 1.3 client on Renesas MCUs with TSIP hardware enabled. Other configurations are not affected.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

To mitigate this vulnerability, update the wolfSSL library to version 5.9.2 or later, which includes the fix preventing out-of-bounds writes in the Renesas TSIP TLS 1.3 transcript buffer.

The fix ensures that the tsip_StoreMessage() function does not perform unsafe memory copy operations when the message buffer capacity checks fail, thus preventing buffer corruption and potential denial of service.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55958. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart