CVE-2026-5507

UNKNOWN 0.0

Session Cache Restore — Arbitrary Free via Deserialized Pointer

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

4th

When restoring a session from cache, a pointer from the serialized session data is used in a free operation without validation. An attacker who can poison the session cache could trigger an arbitrary free. Exploitation requires the ability to inject a crafted session into the cache and for the application to call specific session restore APIs.

CWE	CWE-502
Vendor	wolfssl
Product	wolfssl
Published	Apr 9, 2026
Last Updated	Apr 14, 2026

Stay Ahead of the Next One

Get instant alerts for wolfssl wolfssl

Be the first to know when new unknown vulnerabilities affecting wolfssl wolfssl are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

wolfSSL / wolfSSL

0 ≤ 5.9.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/wolfSSL/wolfssl/pull/10088

Credits

Sunwoo Lee (Korea Institute of Energy Technology, KENTECH) Woohyun Choi (Korea Institute of Energy Technology, KENTECH) Seunghyun Yoon (Korea Institute of Energy Technology, KENTECH)