Encryption, Application security, Vulnerability Management, Patch/Configuration Management

Critical wolfSSL vulnerability allows forged certificates

Cybersecurity Alert Critical System Vulnerability Detected

A critical vulnerability in the wolfSSL SSL/TLS library, tracked as CVE-2026-5194, can weaken security by improperly verifying the hash algorithm or its size when checking Elliptic Curve Digital Signature Algorithm (ECDSA) signatures. Researchers warn that an attacker could exploit this issue to force a target device or application to accept forged certificates for malicious servers or connections, as reported by Bleeping Computer.

The vulnerability, discovered by Nicholas Carlini, is a cryptographic validation flaw affecting multiple signature algorithms in wolfSSL, including ECDSA/ECC, DSA, ML-DSA, Ed25519, and Ed448. An attacker can exploit this by supplying a forged certificate with a smaller digest than cryptographically appropriate, allowing the system to accept a signature that is easier to falsify. This could lead to reduced security of ECDSA certificate-based authentication. wolfSSL is a lightweight TLS/SSL implementation used in over 5 billion applications and devices worldwide, including embedded systems, IoT devices, and industrial control systems. The issue was addressed in wolfSSL version 5.9.1, released on April 8.

Organizations using wolfSSL are advised to promptly apply security updates to ensure certificate validation remains secure. System administrators managing environments that rely on Linux distribution packages or vendor firmware should seek downstream vendor advisories, as exploitation may depend on specific deployment conditions.

Source: Bleeping Computer

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds