CVE-2026-2646

UNKNOWN 0.0

Heap buffer overflow in session parsing with wolfSSL_d2i_SSL_SESSION() function

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

A heap-buffer-overflow vulnerability exists in wolfSSL's wolfSSL_d2i_SSL_SESSION() function. When deserializing session data with SESSION_CERTS enabled, certificate and session id lengths are read from an untrusted input without bounds validation, allowing an attacker to overflow fixed-size buffers and corrupt heap memory. A maliciously crafted session would need to be loaded from an external source to trigger this vulnerability. Internal sessions were not vulnerable.

CWE	CWE-122
Vendor	wolfssl
Product	wolfssl
Published	Mar 19, 2026
Last Updated	Mar 19, 2026

Stay Ahead of the Next One

Get instant alerts for wolfssl wolfssl

Be the first to know when new unknown vulnerabilities affecting wolfssl wolfssl are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

wolfssl / wolfssl

0 ≤ 5.8.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/wolfSSL/wolfssl/pull/9748 github.com: https://github.com/wolfSSL/wolfssl/pull/9949

Credits

Jonathan Bar Or (@yo_yo_yo_jbo) Haruto Kimura (Stella)