out-of-bounds-write
CVE-2026-5503
wolfSSL
CVSS Details
CVSS Score
9.1 CRITICAL
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Weakness
CWE-787 Out-of-bounds Write
Description
In TLSX_EchChangeSNI, the ctx->extensions branch set extensions unconditionally even when TLSX_Find returned NULL. This caused TLSX_UseSNI to attach the attacker-controlled publicName to the shared WOLFSSL_CTX when no inner SNI was configured. TLSX_EchRestoreSNI then failed to clean it up because its removal was gated on serverNameX != NULL. The inner ClientHello was sized before the pollution but written after it, causing TLSX_SNI_Write to memcpy 255 bytes past the allocation boundary. This affects wolfSSL versions up to and including 5.9.0.
Disclosure Date
Public Disclosure
April 9, 2026