CVE-2026-55964
Analyzed Analyzed - Analysis Complete

Intermediate CA with CA:TRUE but Missing keyCertSign Accepted as Signing CA in wolfSSL

Vulnerability report for CVE-2026-55964, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-06-26

Assigner: wolfSSL Inc.

Description

Chain intermediate CA:TRUE without keyCertSign accepted as a signing CA. Intermediate CA certificates are required to have the keyCertSign key usage when a Key Usage extension is present, but chain-supplied temporary CAs (WOLFSSL_TEMP_CA) added while building a certificate path were previously exempted from this check, so an intermediate asserting CA:TRUE but lacking keyCertSign was accepted as a signing CA. The check now applies to chain-supplied temporary CAs as well; only operator-loaded root certificates (WOLFSSL_USER_CA) and self-signed roots remain exempt. Per RFC 5280 an absent Key Usage extension implies all usages, so the requirement is enforced only when the extension is actually present (extKeyUsageSet). Affects the OpenSSL-compatibility certificate-path-building path (X509_verify_cert / X509_STORE, OPENSSL_EXTRA/OPENSSL_ALL), where untrusted chain intermediates are added as temporary CAs; native (non-OpenSSL-compat) certificate verification does not create temporary CAs and is unaffected. Within those builds, the check applies unless ALLOW_INVALID_CERTSIGN is defined.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-06-26
Generated
2026-07-16
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-14
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wolfssl wolfssl From 5.7.4 (inc) to 5.9.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify how CVE-2026-55964 affects compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

To mitigate this vulnerability, update the wolfSSL library to version 5.9.2 or later, which includes fixes enforcing key usage restrictions for intermediate certificates and stricter signature verification.

These fixes address the acceptance of intermediate CA certificates without the required keyCertSign key usage and improve overall certificate validation robustness.

Executive Summary

This vulnerability involves the improper acceptance of intermediate Certificate Authorities (CAs) that assert CA:TRUE but lack the required keyCertSign key usage in their certificates. Normally, intermediate CA certificates must have the keyCertSign usage when the Key Usage extension is present. However, in certain certificate path-building processes (specifically the OpenSSL-compatibility path in wolfSSL), temporary chain-supplied intermediate CAs were exempted from this check and could be accepted as signing CAs even without the keyCertSign usage.

This means that an intermediate CA certificate that should not be authorized to sign other certificates could be mistakenly trusted as a signing CA, potentially allowing unauthorized certificate issuance or validation. The fix enforces the keyCertSign check on these temporary chain-supplied CAs as well, aligning with RFC 5280 requirements.

Impact Analysis

The vulnerability can lead to improper trust of intermediate CAs that are not authorized to sign certificates, potentially allowing attackers to create or validate fraudulent certificates. This could undermine the security of TLS/SSL connections, leading to risks such as man-in-the-middle attacks, interception of sensitive data, or impersonation of trusted entities.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55964. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart