CVE-2026-6679
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk30th percentile — higher than 30% of all known CVEs
Summary
A heap buffer overflow could occur in the DTLS 1.3 ACK serialization path before the connecting peer is authenticated. The buffer overflow was due to an integer truncation when computing the length of the ACK record-number list, causing an undersized buffer to be allocated and then overrun.
Risk Assessment
An unauthenticated remote attacker could exploit this vulnerability to cause a denial of service or potentially execute arbitrary code in the context of the process using wolfSSL.
Recommendation
Upgrade wolfSSL to version 5.9.1 or later, which contains the fix for this vulnerability.
Original NVD description (English source)
A heap buffer overflow could occur in the DTLS 1.3 ACK serialization path before the connecting peer is authenticated. The buffer overflow was due to an integer truncation when computing the length of the ACK record-number list, causing an undersized buffer to be allocated and then overrun. This affects builds using DTLS 1.3 and wolfSSL version 5.9.0 and earlier. A fix was added to the 5.9.1 release.

