Aug 4-6 · Las VegasCantina is at Black Hat USA · Booth 5200, AI ZoneBook a meeting
out-of-bounds-write

CVE-2026-5503

wolfSSL

Critical

CVSS Details

CVSS Score
9.1 CRITICAL
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Weakness
CWE-787 Out-of-bounds Write

Description

In TLSX_EchChangeSNI, the ctx->extensions branch set extensions unconditionally even when TLSX_Find returned NULL. This caused TLSX_UseSNI to attach the attacker-controlled publicName to the shared WOLFSSL_CTX when no inner SNI was configured. TLSX_EchRestoreSNI then failed to clean it up because its removal was gated on serverNameX != NULL. The inner ClientHello was sized before the pollution but written after it, causing TLSX_SNI_Write to memcpy 255 bytes past the allocation boundary. This affects wolfSSL versions up to and including 5.9.0.

Disclosure Date

Public Disclosure
April 9, 2026