WolfSSL: Ten Vulnerabilities Disclosed Together Affecting Crypto and Certificate Handling
Ten vulnerabilities disclosed in WolfSSL on June 26, 2026, impacting certificate validation, PKCS#7 processing, and DTLS 1.3 implementations.

Key findings
- Ten vulnerabilities in WolfSSL disclosed on June 26, 2026, affecting certificate validation and crypto functions.
- Issues include PKCS#7 decode path buffer overflows and PKCS#7 KTRI decryption padding oracle.
- Certificate chain validation flaws allow untrusted intermediates and bypass of IP address name constraints.
- TLS 1.3 PHA bypass and DTLS 1.3 heap buffer overflow identified.
- All ten vulnerabilities are fixed in WolfSSL version 5.9.1.
On June 26, 2026, a batch of ten vulnerabilities was disclosed in the WolfSSL TLS/SSL library, affecting various aspects of its cryptographic functions and certificate handling. These vulnerabilities, disclosed within a six-hour window, highlight potential weaknesses in certificate validation, PKCS#7 processing, and DTLS 1.3 implementations. The disclosures were coordinated, with many originating from Debian's security team, indicating a significant update for users of the WolfSSL library.
Several vulnerabilities center on certificate chain validation and trust. CVE-2026-55964 describes how intermediate CA certificates without the keyCertSign usage were incorrectly accepted as signing CAs, potentially allowing untrusted certificates to be used in a chain. Similarly, CVE-2026-6091 points out an issue where partial-chain certificate verification might accept chains terminating at a peer-supplied, untrusted intermediate certificate, rather than a trusted anchor. This could allow an attacker to present a malicious chain ending in a controlled intermediate certificate and have it validated.
Another group of vulnerabilities affects the handling of PKCS#7 data. CVE-2026-6681 details how the PKCS#7 decode path ignored the provided output buffer size, leading to buffer overflows. CVE-2026-6678 involves an integer underflow in wc_PKCS7_DecryptOri when processing crafted "Other Recipient Info" fields, resulting in incorrect length handling. Furthermore, CVE-2026-6291 exposes a Bleichenbacher padding oracle in PKCS#7 KTRI decryption for RSA PKCS#1 v1.5, which could allow attackers to decrypt sensitive information by observing distinguishable error codes. CVE-2026-55961 addresses a scenario where wolfSSL_PKCS7_verify() incorrectly returned success for PKCS#7 objects lacking a signer, effectively validating content without proper authentication.
The batch also includes issues related to TLS and DTLS protocols. CVE-2026-55962 highlights a TLS 1.3 post-handshake authentication (PHA) flaw where a server might accept a client's Finished message without the client having sent a Certificate and CertificateVerify, a bypass intended only for the initial handshake. CVE-2026-6679 describes a heap buffer overflow in the DTLS 1.3 ACK serialization path that could occur before peer authentication, caused by an integer truncation leading to an undersized buffer allocation and subsequent overrun.
Additionally, CVE-2026-7532 addresses an iPAddress name constraints bypass in WolfSSL when WOLFSSL_IP_ALT_NAME is not defined, allowing certificates to bypass IP address constraints. Finally, CVE-2026-8720 notes that wc_Blake2bHmacFinal and wc_Blake2sHmacFinal discard the message when the key length exceeds the block size, resulting in a MAC independent of the input message.
These vulnerabilities were patched in WolfSSL version 5.9.1. Users are strongly advised to update to the latest version to mitigate these security risks. The coordinated disclosure of these ten CVEs underscores the importance of timely patching and vigilance in maintaining the security posture of applications relying on the WolfSSL library.
The affected versions for some of these issues include WolfSSL 5.9.0 and earlier. The fix for these vulnerabilities was released in version 5.9.1.
The batch of vulnerabilities disclosed on June 26, 2026, impacts the WolfSSL TLS/SSL library, with ten CVEs identified within a short disclosure window. These issues span certificate validation, PKCS#7 handling, and DTLS protocol weaknesses.
Key areas of concern include:
- Improper validation of intermediate CA certificates and partial certificate chains.
- Buffer overflows and incorrect length handling in PKCS#7 decoding and decryption.
- A Bleichenbacher padding oracle in PKCS#7 KTRI decryption.
- A TLS 1.3 PHA bypass and a DTLS 1.3 heap buffer overflow.
- IP address name constraint bypass and issues with BLAKE2 HMAC functions.
All identified vulnerabilities have been addressed in WolfSSL version 5.9.1. Users are urged to upgrade to this version to ensure their systems are protected against these newly disclosed security flaws. The coordinated nature of this disclosure emphasizes the need for prompt security updates.