CVE-2026-5187 (GCVE-0-2026-5187)
Vulnerability from cvelistv5
Published
2026-04-09 19:45
Modified
2026-04-14 14:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Two potential heap out-of-bounds write locations existed in DecodeObjectId() in wolfcrypt/src/asn.c. First, a bounds check only validates one available slot before writing two OID arc values (out[0] and out[1]), enabling a 2-byte out-of-bounds write when outSz equals 1. Second, multiple callers pass sizeof(decOid) (64 bytes on 64-bit platforms) instead of the element count MAX_OID_SZ (32), causing the function to accept crafted OIDs with 33 or more arcs that write past the end of the allocated buffer.
References
| URL | Tags | |
|---|---|---|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5187",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T14:03:11.195034Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T14:04:53.585Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"wolfcrypt/src/asn.c"
],
"product": "wolfSSL",
"programFiles": [
"wolfcrypt/src/asn.c"
],
"vendor": "wolfSSL",
"versions": [
{
"lessThanOrEqual": "5.9.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eBug 1 (off-by-one) affects any code calling DecodeObjectId() with an output buffer of size 1. Bug 2 (sizeof mismatch) is reachable via network when wolfSSL is compiled with HAVE_OID_DECODING or WOLFSSL_ASN_PRINT, and WC_ASN_UNKNOWN_EXT_CB is enabled with a registered unknown extension callback.\u003c/p\u003e"
}
],
"value": "Bug 1 (off-by-one) affects any code calling DecodeObjectId() with an output buffer of size 1. Bug 2 (sizeof mismatch) is reachable via network when wolfSSL is compiled with HAVE_OID_DECODING or WOLFSSL_ASN_PRINT, and WC_ASN_UNKNOWN_EXT_CB is enabled with a registered unknown extension callback."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "ytsun, Independent Security Researcher"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eTwo potential heap out-of-bounds write locations existed in DecodeObjectId() in wolfcrypt/src/asn.c. First, a bounds check only validates one available slot before writing two OID arc values (out[0] and out[1]), enabling a 2-byte out-of-bounds write when outSz equals 1. Second, multiple callers pass sizeof(decOid) (64 bytes on 64-bit platforms) instead of the element count MAX_OID_SZ (32), causing the function to accept crafted OIDs with 33 or more arcs that write past the end of the allocated buffer.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Two potential heap out-of-bounds write locations existed in DecodeObjectId() in wolfcrypt/src/asn.c. First, a bounds check only validates one available slot before writing two OID arc values (out[0] and out[1]), enabling a 2-byte out-of-bounds write when outSz equals 1. Second, multiple callers pass sizeof(decOid) (64 bytes on 64-bit platforms) instead of the element count MAX_OID_SZ (32), causing the function to accept crafted OIDs with 33 or more arcs that write past the end of the allocated buffer."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122: Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787: Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T19:45:39.937Z",
"orgId": "50d2cd11-d01a-48ed-9441-5bfce9d63b27",
"shortName": "wolfSSL"
},
"references": [
{
"name": "wolfSSL GitHub Repository",
"url": "https://github.com/wolfSSL/wolfssl"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eFix Bug 1: Add a bounds check requiring at least 2 output slots before writing the first OID arc split (y == 0 case). Fix Bug 2: Change callers to pass the element count (MAX_OID_SZ) instead of sizeof(decOid) as the output buffer size parameter.\u003c/p\u003e"
}
],
"value": "Fix Bug 1: Add a bounds check requiring at least 2 output slots before writing the first OID arc split (y == 0 case). Fix Bug 2: Change callers to pass the element count (MAX_OID_SZ) instead of sizeof(decOid) as the output buffer size parameter."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Heap Out-of-Bounds Write in DecodeObjectId() in wolfSSL",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDo not enable WC_ASN_UNKNOWN_EXT_CB or do not register an unknown extension callback if not required. This mitigates the network-reachable variant (Bug 2) but does not address Bug 1.\u003c/p\u003e"
}
],
"value": "Do not enable WC_ASN_UNKNOWN_EXT_CB or do not register an unknown extension callback if not required. This mitigates the network-reachable variant (Bug 2) but does not address Bug 1."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "50d2cd11-d01a-48ed-9441-5bfce9d63b27",
"assignerShortName": "wolfSSL",
"cveId": "CVE-2026-5187",
"datePublished": "2026-04-09T19:45:39.937Z",
"dateReserved": "2026-03-30T19:57:33.843Z",
"dateUpdated": "2026-04-14T14:04:53.585Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-5187\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-14T14:03:11.195034Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-14T14:04:21.909Z\"}}], \"cna\": {\"title\": \"Heap Out-of-Bounds Write in DecodeObjectId() in wolfSSL\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"ytsun, Independent Security Researcher\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 2.3, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"LOW\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"wolfSSL\", \"modules\": [\"wolfcrypt/src/asn.c\"], \"product\": \"wolfSSL\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.9.0\"}], \"programFiles\": [\"wolfcrypt/src/asn.c\"], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Fix Bug 1: Add a bounds check requiring at least 2 output slots before writing the first OID arc split (y == 0 case). Fix Bug 2: Change callers to pass the element count (MAX_OID_SZ) instead of sizeof(decOid) as the output buffer size parameter.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eFix Bug 1: Add a bounds check requiring at least 2 output slots before writing the first OID arc split (y == 0 case). Fix Bug 2: Change callers to pass the element count (MAX_OID_SZ) instead of sizeof(decOid) as the output buffer size parameter.\u003c/p\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://github.com/wolfSSL/wolfssl\", \"name\": \"wolfSSL GitHub Repository\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Do not enable WC_ASN_UNKNOWN_EXT_CB or do not register an unknown extension callback if not required. This mitigates the network-reachable variant (Bug 2) but does not address Bug 1.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eDo not enable WC_ASN_UNKNOWN_EXT_CB or do not register an unknown extension callback if not required. This mitigates the network-reachable variant (Bug 2) but does not address Bug 1.\u003c/p\u003e\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 1.0.1\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Two potential heap out-of-bounds write locations existed in DecodeObjectId() in wolfcrypt/src/asn.c. First, a bounds check only validates one available slot before writing two OID arc values (out[0] and out[1]), enabling a 2-byte out-of-bounds write when outSz equals 1. Second, multiple callers pass sizeof(decOid) (64 bytes on 64-bit platforms) instead of the element count MAX_OID_SZ (32), causing the function to accept crafted OIDs with 33 or more arcs that write past the end of the allocated buffer.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eTwo potential heap out-of-bounds write locations existed in DecodeObjectId() in wolfcrypt/src/asn.c. First, a bounds check only validates one available slot before writing two OID arc values (out[0] and out[1]), enabling a 2-byte out-of-bounds write when outSz equals 1. Second, multiple callers pass sizeof(decOid) (64 bytes on 64-bit platforms) instead of the element count MAX_OID_SZ (32), causing the function to accept crafted OIDs with 33 or more arcs that write past the end of the allocated buffer.\u003cbr\u003e\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-122\", \"description\": \"CWE-122: Heap-based Buffer Overflow\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-787\", \"description\": \"CWE-787: Out-of-bounds Write\"}]}], \"configurations\": [{\"lang\": \"en\", \"value\": \"Bug 1 (off-by-one) affects any code calling DecodeObjectId() with an output buffer of size 1. Bug 2 (sizeof mismatch) is reachable via network when wolfSSL is compiled with HAVE_OID_DECODING or WOLFSSL_ASN_PRINT, and WC_ASN_UNKNOWN_EXT_CB is enabled with a registered unknown extension callback.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eBug 1 (off-by-one) affects any code calling DecodeObjectId() with an output buffer of size 1. Bug 2 (sizeof mismatch) is reachable via network when wolfSSL is compiled with HAVE_OID_DECODING or WOLFSSL_ASN_PRINT, and WC_ASN_UNKNOWN_EXT_CB is enabled with a registered unknown extension callback.\u003c/p\u003e\", \"base64\": false}]}], \"providerMetadata\": {\"orgId\": \"50d2cd11-d01a-48ed-9441-5bfce9d63b27\", \"shortName\": \"wolfSSL\", \"dateUpdated\": \"2026-04-09T19:45:39.937Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-5187\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-14T14:04:53.585Z\", \"dateReserved\": \"2026-03-30T19:57:33.843Z\", \"assignerOrgId\": \"50d2cd11-d01a-48ed-9441-5bfce9d63b27\", \"datePublished\": \"2026-04-09T19:45:39.937Z\", \"assignerShortName\": \"wolfSSL\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…