CVE-2026-7532
Modified Modified - Updated After Analysis

wolfSSL IP Address Name Constraints Bypass

Vulnerability report for CVE-2026-7532, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-07-01

Assigner: wolfSSL Inc.

Description

iPAddress name constraints bypass when WOLFSSL_IP_ALT_NAME is not defined. IP address name constraints are not enforced in that configuration, allowing a certificate to bypass an issuing CA's IP address constraints.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-07-01
Generated
2026-07-16
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-15
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wolfssl wolfssl to 5.9.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability involves a bypass of IP address name constraints in the WOLFSSL library when the configuration option WOLFSSL_IP_ALT_NAME is not defined.

Specifically, IP address name constraints are not enforced in this configuration, which allows a certificate to bypass the issuing Certificate Authority's (CA) IP address constraints.

Detection Guidance

This vulnerability involves improper enforcement of IP address name constraints in wolfSSL when WOLFSSL_IP_ALT_NAME is not defined, allowing certificates to bypass issuing CA's IP address constraints.

Detection would require verifying whether wolfSSL is configured with WOLFSSL_IP_ALT_NAME enabled and checking certificate validation behavior for IP address constraints.

Since the issue relates to certificate parsing and validation, you can inspect certificates and their Subject Alternative Names (SANs) for IP address constraints using tools like OpenSSL.

  • Use OpenSSL to inspect certificates: openssl x509 -in <certificate.pem> -text -noout
  • Check wolfSSL build configuration or logs to confirm if WOLFSSL_IP_ALT_NAME is defined or not.
  • Monitor wolfSSL logs or enable debugging to detect if IP address constraints are being ignored during certificate validation.
Impact Analysis

Because IP address name constraints are not enforced, an attacker could use a certificate that bypasses the intended IP address restrictions set by the issuing CA.

This could lead to unauthorized use of certificates for IP addresses that should have been restricted, potentially enabling man-in-the-middle attacks or unauthorized access to network resources.

Compliance Impact

The vulnerability allows IP address name constraints to be bypassed in wolfSSL when WOLFSSL_IP_ALT_NAME is not defined, meaning certificates can bypass an issuing CA's IP address constraints. This weakness in certificate validation could potentially undermine the trustworthiness and integrity of secure communications.

While the provided information does not explicitly mention compliance with standards such as GDPR or HIPAA, the ability to bypass IP address constraints in certificates could lead to unauthorized access or interception of sensitive data, which may impact compliance with data protection and privacy regulations that require strong security controls.

Therefore, this vulnerability could indirectly affect compliance by weakening certificate validation mechanisms that are critical for securing communications and protecting sensitive information under regulations like GDPR and HIPAA.

Mitigation Strategies

To mitigate this vulnerability, ensure that wolfSSL is updated to a version that includes the fix for proper IP address name constraint enforcement.

Specifically, enable the WOLFSSL_IP_ALT_NAME configuration option so that IP address name constraints are enforced during certificate validation.

Apply the patch or update from wolfSSL that addresses this issue, as described in the referenced pull request.

  • Update wolfSSL to the latest version containing the fix.
  • Enable WOLFSSL_IP_ALT_NAME in your build configuration.
  • Test certificate validation to confirm that IP address constraints are now enforced.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7532. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart