Medium severity4.0NVD Advisory· Published Apr 9, 2026· Updated Apr 29, 2026

CVE-2026-5507

Description

When restoring a session from cache, a pointer from the serialized session data is used in a free operation without validation. An attacker who can poison the session cache could trigger an arbitrary free. Exploitation requires the ability to inject a crafted session into the cache and for the application to call specific session restore APIs.

Affected products

WolfSSL/Wolfssl
cpe:2.3:a:wolfssl:wolfssl:*:*:*:*:*:*:*:*
Range: <=5.9.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/wolfSSL/wolfssl/pull/10088nvdIssue TrackingPatch

News mentions

No linked articles in our index yet.

Severity

MediumCVSS v3.1

4.0/ 10

CVSS v44.1

CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Local
Complexity: High
Privileges: High
User interaction: Required
Scope: Unchanged
Confidentiality: None
Integrity: None
Availability: High

Vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H

EPSS

Probability of exploitation in the next 30 days.

0.02%

VYPR risk score

Composite of severity, exploitation, and reach.

0.26low

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-502
Deserialization of Untrusted Data

CVE ID

CVE-2026-5507

Credits

SY
Seunghyun Yoon (Korea Institute of Energy Technology, KENTECH)
finder
SL
Sunwoo Lee (Korea Institute of Energy Technology, KENTECH)
finder
WC
Woohyun Choi (Korea Institute of Energy Technology, KENTECH)
finder