CVE-2026-55958
Undergoing Analysis Undergoing Analysis - In Progress
Out-of-Bounds Write in Renesas TSIP TLS 1.3 Client

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: wolfSSL Inc.

Description
Out-of-bounds write in the Renesas TSIP TLS 1.3 transcript buffer. In tsip_StoreMessage() the capacity check guarding the fixed message bag (MSGBAG_SIZE) sets an error code but fails to return, so execution falls through to an XMEMCPY that writes past the end of the buffer once the accumulated TLS 1.3 handshake transcript exceeds MSGBAG_SIZE (8 KB), corrupting adjacent heap state and potentially causing a remote denial of service crash. The bag is sized to hold a normal handshake, so this is reached only by an unusually large but valid certificate chain, or by a malicious or man-in-the-middle server sending an oversized handshake message to a client that does not strictly verify the chain. This only affects builds using the Renesas TSIP TLS port (WOLFSSL_RENESAS_TSIP_TLS) as a TLS 1.3 client on Renesas MCUs with TSIP hardware enabled, and is rated High within those builds. All other configurations are unaffected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-55958
EUVD
EUVD-2026-39546
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
renesas tsip From 1.3 (inc)
wolfssl wolfssl From 1.3 (inc)
wolfssl wolfssl 5.9.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-393 A function or operation returns an incorrect return value or status code that does not indicate the true result of execution, causing the product to modify its behavior based on the incorrect result.
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

To mitigate this vulnerability, update the wolfSSL library to version 5.9.2 or later, which includes the fix preventing out-of-bounds writes in the Renesas TSIP TLS 1.3 transcript buffer.

The fix ensures that the tsip_StoreMessage() function does not perform unsafe memory copy operations when the message buffer capacity checks fail, thus preventing buffer corruption and potential denial of service.

Executive Summary

This vulnerability is an out-of-bounds write in the Renesas TSIP TLS 1.3 transcript buffer. Specifically, in the function tsip_StoreMessage(), a capacity check that is supposed to prevent writing beyond the fixed message bag size (8 KB) sets an error code but does not stop execution. As a result, the code continues and performs a memory copy (XMEMCPY) that writes past the end of the buffer when the TLS 1.3 handshake transcript exceeds the bag size. This corrupts adjacent heap memory and can cause a remote denial of service crash.

The issue occurs only when an unusually large but valid certificate chain is used or when a malicious or man-in-the-middle server sends an oversized handshake message to a client that does not strictly verify the certificate chain. It affects only builds using the Renesas TSIP TLS port as a TLS 1.3 client on Renesas MCUs with TSIP hardware enabled.

Impact Analysis

This vulnerability can lead to corruption of adjacent heap memory and potentially cause a remote denial of service (DoS) crash on affected devices. An attacker could exploit this by sending an oversized TLS 1.3 handshake message, causing the client to crash or behave unpredictably.

The impact is limited to specific builds using the Renesas TSIP TLS port as a TLS 1.3 client on Renesas MCUs with TSIP hardware enabled. Other configurations are not affected.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55958. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart