CVE-2026-5448

Description

X.509 date buffer overflow in wolfSSL_X509_notAfter / wolfSSL_X509_notBefore. A buffer overflow may occur when parsing date fields from a crafted X.509 certificate via the compatibility layer API. This is only triggered when calling these two APIs directly from an application, and does not affect TLS or certificate verify operations in wolfSSL.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:wolfssl:wolfssl:*:*:*:*:*:*:*:* - VULNERABLE

wolfSSL (修复前版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#include <wolfssl/ssl.h>
#include <wolfssl/wolfcrypt/asn1.h>

// Conceptual PoC for CVE-2026-5448
// This demonstrates the vulnerable function call flow.
// Actual exploitation requires a crafted certificate DER blob.

int main() {
    WOLFSSL_CERT* cert;
    // Assume 'malicious_cert_der' contains a crafted certificate
    // with an excessively long date field in the validity structure.
    const unsigned char* malicious_cert_der = ...; 
    long der_len = ...;

    // Load the certificate (simulated)
    cert = wolfSSL_X509_d2i(malicious_cert_der, der_len);
    if (cert) {
        char buffer[260]; // Target buffer to overflow
        
        // Trigger the vulnerability in compatibility layer
        // This call copies the date string without proper length check
        const char* date_str = wolfSSL_X509_notAfter(cert);
        
        if (date_str) {
            // If the date string is longer than the destination buffer in the
            // internal implementation or if the function itself overflows
            // internal stack, a crash occurs.
            printf("Date: %s\n", date_str);
        }
        
        wolfSSL_X509_free(cert);
    }
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-5448
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-5448
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-5448/
[4] VulDB https://vuldb.com/cve/CVE-2026-5448
[5] https://github.com/wolfSSL/wolfssl/pull/10071

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-5448", "sourceIdentifier": "[email protected]", "published": "2026-04-10T00:16:35.890", "lastModified": "2026-04-29T13:56:59.573", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "X.509 date buffer overflow in wolfSSL_X509_notAfter / wolfSSL_X509_notBefore. A buffer overflow may occur when parsing date fields from a crafted X.509 certificate via the compatibility layer API. This is only triggered when calling these two APIs directly from an application, and does not affect TLS or certificate verify operations in wolfSSL."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green", "baseScore": 2.3, "baseSeverity": "LOW", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "GREEN"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-122"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wolfssl:wolfssl:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.9.1", "matchCriteriaId": "261C41E4-7F04-4C98-AD63-110136730EE9"}]}]}], "references": [{"url": "https://github.com/wolfSSL/wolfssl/pull/10071", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}]}}