GHSA-68g3-7fhp-7rg3
A vulnerability exists in the OpenSSL-compatible certificate path building in certain builds of wolfSSL where intermediate CA certificates marked as CA:TRUE but lacking the keyCertSign key usage were incorrectly accepted as signing CAs. This check was previously exempt for chain-supplied temporary CAs but is now enforced, except for operator-loaded root certificates and self-signed roots. The issue affects only the OpenSSL-compatibility path and not native certificate verification. No known exploits are reported, and no patch information is currently available.
AI Analysis
Technical Summary
The vulnerability involves improper validation of intermediate CA certificates in wolfSSL's OpenSSL-compatible certificate path building (X509_verify_cert / X509_STORE) when untrusted chain intermediates are added as temporary CAs (WOLFSSL_TEMP_CA). Intermediate CAs with CA:TRUE but without the keyCertSign key usage extension were accepted as signing CAs, violating RFC 5280 requirements. This flaw does not affect native wolfSSL certificate verification and is mitigated by enforcing the keyCertSign check on temporary CAs unless ALLOW_INVALID_CERTSIGN is defined. The vulnerability is identified as CWE-295 (Improper Certificate Validation).
Potential Impact
The impact is moderate as it allows an intermediate CA certificate lacking the required keyCertSign usage to be accepted as a signing CA in the affected wolfSSL OpenSSL-compatibility builds. This could potentially lead to improper trust decisions during certificate path validation. However, native wolfSSL verification is unaffected, and no known exploits are reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should avoid defining ALLOW_INVALID_CERTSIGN and consider using native wolfSSL certificate verification instead of the OpenSSL-compatible path if feasible.
GHSA-68g3-7fhp-7rg3
Description
A vulnerability exists in the OpenSSL-compatible certificate path building in certain builds of wolfSSL where intermediate CA certificates marked as CA:TRUE but lacking the keyCertSign key usage were incorrectly accepted as signing CAs. This check was previously exempt for chain-supplied temporary CAs but is now enforced, except for operator-loaded root certificates and self-signed roots. The issue affects only the OpenSSL-compatibility path and not native certificate verification. No known exploits are reported, and no patch information is currently available.
CVSS v4.0
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability involves improper validation of intermediate CA certificates in wolfSSL's OpenSSL-compatible certificate path building (X509_verify_cert / X509_STORE) when untrusted chain intermediates are added as temporary CAs (WOLFSSL_TEMP_CA). Intermediate CAs with CA:TRUE but without the keyCertSign key usage extension were accepted as signing CAs, violating RFC 5280 requirements. This flaw does not affect native wolfSSL certificate verification and is mitigated by enforcing the keyCertSign check on temporary CAs unless ALLOW_INVALID_CERTSIGN is defined. The vulnerability is identified as CWE-295 (Improper Certificate Validation).
Potential Impact
The impact is moderate as it allows an intermediate CA certificate lacking the required keyCertSign usage to be accepted as a signing CA in the affected wolfSSL OpenSSL-compatibility builds. This could potentially lead to improper trust decisions during certificate path validation. However, native wolfSSL verification is unaffected, and no known exploits are reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should avoid defining ALLOW_INVALID_CERTSIGN and consider using native wolfSSL certificate verification instead of the OpenSSL-compatible path if feasible.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-68g3-7fhp-7rg3
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-55964"]
- Ecosystems
- []
- Database Specific Severity
- MODERATE
- Cvss Version
- 4.0
Threat ID: 6a3ef7e927e9c79719032ddc
Added to database: 06/26/2026, 22:06:33 UTC
Last enriched: 06/26/2026, 22:47:12 UTC
Last updated: 06/26/2026, 23:51:24 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.