CVE-2026-5263
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk5th percentile - higher than 5% of all known CVEs
Summary
A vulnerability in the wolfSSL library causes URI nameConstraints from constrained intermediate CAs to be parsed but not enforced during certificate chain verification. A compromised or malicious sub-CA could issue leaf certificates with URI SAN entries that violate the nameConstraints of the issuing CA, and wolfSSL would accept them as valid.
Risk Assessment
The organization may accept fraudulent leaf certificates with unauthorized URI SANs, enabling man-in-the-middle attacks or impersonation of trusted services if an attacker controls a sub-CA.
Recommendation
Immediately update the wolfSSL library to a version that fixes the enforcement of URI nameConstraints. If an update is not possible, temporarily restrict trust in sub-CAs or manually verify URI SAN compliance with constraints.
Original NVD description (English source)
URI nameConstraints from constrained intermediate CAs are parsed but not enforced during certificate chain verification in wolfcrypt/src/asn.c. A compromised or malicious sub-CA could issue leaf certificates with URI SAN entries that violate the nameConstraints of the issuing CA, and wolfSSL would accept them as valid.

