CVE-2026-5263 | THREATINT

Description

URI nameConstraints from constrained intermediate CAs are parsed but not enforced during certificate chain verification in wolfcrypt/src/asn.c. A compromised or malicious sub-CA could issue leaf certificates with URI SAN entries that violate the nameConstraints of the issuing CA, and wolfSSL would accept them as valid.

PUBLISHED Reserved 2026-03-31 | Published 2026-04-09 | Updated 2026-04-10 | Assigner wolfSSL

HIGH: 7.0CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:L/VA:N/SC:H/SI:N/SA:N

Problem types

CWE-295 Improper Certificate Validation

Product status

Default status

unaffected

Any version before 5.9.1

affected

Credits

Oleh Konko @1seal finder

References

github.com/wolfSSL/wolfssl/pull/10048

cve.org (CVE-2026-5263)

nvd.nist.gov (CVE-2026-5263)

Download JSON