CVE Catalog

CVE-2026-11999

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.19%

9th percentile — higher than 9% of all known CVEs

Summary

The vulnerability allows bypassing X.509 trust-chain validation in the wolfSSL_X509_verify_cert() function of wolfSSL compiled with --enable-opensslextra. When the application supplies untrusted intermediate certificates and the chain exceeds the maximum allowed depth (default 100), the validator accepts an attacker-controlled certificate without reaching a trusted anchor.

Risk Assessment

The risk involves accepting a forged certificate controlled by an attacker, which could lead to impersonation of a trusted party or interception of communication in applications using this function.

Recommendation

It is recommended to update wolfSSL to a patched version or avoid calling X509_verify_cert() with untrusted intermediate certificates. For applications using native wolfSSL TLS/DTLS, the vulnerability poses no threat.

Original NVD description (English source)

X.509 trust-chain bypass (path-depth exhaustion) in the OpenSSL compatibility certificate verifier (wolfSSL_X509_verify_cert()). This affects only builds with --enable-opensslextra whose application calls X509_verify_cert() with caller-supplied untrusted intermediates; for those users it is critical, otherwise the library is unaffected. Native wolfSSL TLS/DTLS usage is not impacted. X509_verify_cert() returned success based only on the last verified link rather than on reaching a trust anchor: when the supplied chain is deeper than the verifier's maximum path depth (default 100), path building runs out of depth while still walking untrusted intermediates and the chain is accepted even though it never reaches a configured trust anchor, allowing acceptance of an attacker-controlled certificate. The default TLS handshake (WOLFSSL_VERIFY_PEER) is not affected; only applications doing manual or deferred verification through this API are.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS