CVE-2026-10098
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk2th percentile — higher than 2% of all known CVEs
Summary
A vulnerability in the wolfSSL_OCSP_resp_find_status function of the wolfSSL library causes serial number comparison in OCSP responses to not require equal length. This allows a SingleResponse for a certificate whose serial is a prefix of the target's serial to be incorrectly matched, returning the wrong certificate's revocation status.
Risk Assessment
The organization may receive a false certificate revocation status, potentially leading to acceptance of a revoked certificate or rejection of a valid one, compromising trust in TLS communication and the integrity of the verification process.
Recommendation
Immediately update the wolfSSL library to a version containing the fix that requires serial lengths to be equal before comparing the serial bytes in the OCSP function.
Original NVD description (English source)
OCSP CertID serial-number length-confusion in wolfSSL_OCSP_resp_find_status allows a same-issuer SingleResponse whose serial is a prefix of the target serial to be reported as the revocation status of a different certificate. The lookup compared serial-number bytes without first requiring the two serial numbers to be of equal length, so a SingleResponse for one certificate (same issuer) whose serial is a prefix of the target's serial would match, returning the wrong certificate's status. The fix requires the serial lengths to be equal before comparing the serial bytes.

