CVE Catalog

CVE-2026-5263

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.15%

5th percentile - higher than 5% of all known CVEs

Summary

A vulnerability in the wolfSSL library causes URI nameConstraints from constrained intermediate CAs to be parsed but not enforced during certificate chain verification. A compromised or malicious sub-CA could issue leaf certificates with URI SAN entries that violate the nameConstraints of the issuing CA, and wolfSSL would accept them as valid.

Risk Assessment

The organization may accept fraudulent leaf certificates with unauthorized URI SANs, enabling man-in-the-middle attacks or impersonation of trusted services if an attacker controls a sub-CA.

Recommendation

Immediately update the wolfSSL library to a version that fixes the enforcement of URI nameConstraints. If an update is not possible, temporarily restrict trust in sub-CAs or manually verify URI SAN compliance with constraints.

Original NVD description (English source)

URI nameConstraints from constrained intermediate CAs are parsed but not enforced during certificate chain verification in wolfcrypt/src/asn.c. A compromised or malicious sub-CA could issue leaf certificates with URI SAN entries that violate the nameConstraints of the issuing CA, and wolfSSL would accept them as valid.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS