CVE-2026-6412
Analyzed Analyzed - Analysis Complete

SHA-1/MD5 Certificate Processing Non-Compliance with RFC 8446

Vulnerability report for CVE-2026-6412, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-06-27

Assigner: wolfSSL Inc.

Description

Certificate policy and RFC 8446 compliance concerns regarding the continued acceptance of SHA-1/MD5 in certificate processing.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-06-27
Generated
2026-07-16
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-15
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wolfssl wolfssl From 3.9.10 (inc) to 5.9.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-327 The product uses a broken or risky cryptographic algorithm or protocol.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability concerns certificate policy and compliance with RFC 8446, specifically regarding the continued acceptance of SHA-1 and MD5 hashing algorithms in certificate processing.

SHA-1 and MD5 are cryptographic hash functions that have known weaknesses, and their continued acceptance in certificate validation processes raises security and compliance concerns.

Impact Analysis

The impact of this vulnerability is relatively low, as indicated by the CVSS base score of 2.3.

However, accepting certificates that use SHA-1 or MD5 can expose systems to risks such as weakened cryptographic assurance, potential certificate forgery, or man-in-the-middle attacks due to the vulnerabilities in these hash algorithms.

Compliance Impact

This vulnerability involves certificate policy and RFC 8446 compliance concerns due to the continued acceptance of SHA-1/MD5 in certificate processing.

Since SHA-1 and MD5 are considered weak cryptographic hash functions, their continued acceptance in certificate processing could undermine the security assurances required by standards and regulations such as GDPR and HIPAA, which mandate strong cryptographic protections to safeguard sensitive data.

Therefore, this vulnerability may negatively impact compliance with these regulations by allowing weaker cryptographic methods that could lead to potential data integrity and confidentiality issues.

Detection Guidance

This vulnerability relates to the acceptance of MD5-signed certificates in the wolfSSL library. Detection involves verifying whether your system or application is accepting MD5-signed certificates during certificate chain verification.

A practical approach is to test certificate verification using wolfSSL's regression test named `test_wolfSSL_CertManagerRejectMD5Cert`, which ensures MD5-signed certificates are rejected.

While no explicit commands are provided, you can run wolfSSL's test suite including this regression test to detect if your current wolfSSL version properly rejects MD5-signed certificates.

Mitigation Strategies

To mitigate this vulnerability, update your wolfSSL library to the version that includes the security fix merged on April 15, 2026.

This fix updates the `HashForSignature()` function to reject MD5-signed certificates by default, preventing weak MD5 hashing in certificate signatures.

Ensure that the macro `WOLFSSL_ALLOW_MD5_CERT_SIGS` is not defined in your build configuration, as defining it would allow MD5-signed certificates and negate the fix.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6412. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart