CVE-2026-5503
out-of-bounds write in TLSX_EchChangeSNI via attacker-controlled publicName
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
13th
In TLSX_EchChangeSNI, the ctx->extensions branch set extensions unconditionally even when TLSX_Find returned NULL. This caused TLSX_UseSNI to attach the attacker-controlled publicName to the shared WOLFSSL_CTX when no inner SNI was configured. TLSX_EchRestoreSNI then failed to clean it up because its removal was gated on serverNameX != NULL. The inner ClientHello was sized before the pollution but written after it, causing TLSX_SNI_Write to memcpy 255 bytes past the allocation boundary.
| CWE | CWE-787 |
| Vendor | wolfssl |
| Product | wolfssl |
| Published | Apr 9, 2026 |
| Last Updated | Apr 10, 2026 |
Stay Ahead of the Next One
Get instant alerts for wolfssl wolfssl
Be the first to know when new unknown vulnerabilities affecting wolfssl wolfssl are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
wolfSSL / wolfSSL
0 โค 5.9.0
References
Credits
Calif.io in collaboration with Claude and Anthropic Research