CVE-2026-5503

CRITICAL

out-of-bounds write in TLSX_EchChangeSNI via attacker-controlled publicName

Title source: cna

Description

In TLSX_EchChangeSNI, the ctx->extensions branch set extensions unconditionally even when TLSX_Find returned NULL. This caused TLSX_UseSNI to attach the attacker-controlled publicName to the shared WOLFSSL_CTX when no inner SNI was configured. TLSX_EchRestoreSNI then failed to clean it up because its removal was gated on serverNameX != NULL. The inner ClientHello was sized before the pollution but written after it, causing TLSX_SNI_Write to memcpy 255 bytes past the allocation boundary.

References (1)

Core 1

Core References

https://github.com/wolfSSL/wolfssl/pull/10102

Scores

CVSS v3 9.1

EPSS 0.0036

EPSS Percentile 27.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-787

Status published

Products (2)

wolfSSL/wolfSSL < 5.9.0

wolfssl/wolfssl < 5.9.0

Published Apr 09, 2026

Tracked Since Apr 10, 2026