The vulnerability in wolfSSL's OCSP response handling (CVE-2026-10098) is due to improper validation of certificate serial numbers in the function wolfSSL_OCSP_resp_find_status. Specifically, the code compares serial number bytes without first checking that the serial numbers are of equal length. This allows a SingleResponse for one certificate whose serial number is a prefix of another certificate's serial number (with the same issuer) to be mistakenly matched, causing the revocation status of the wrong certificate to be returned. The correct behavior requires serial numbers to be equal in length before byte-wise comparison.

This vulnerability can lead to incorrect revocation status reporting for certificates. A certificate could be incorrectly considered revoked or valid based on the status of a different certificate with a serial number prefix match. This undermines the reliability of OCSP-based revocation checking in affected wolfSSL implementations, potentially impacting security decisions that rely on accurate certificate status.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The fix involves modifying the code to require serial numbers to be of equal length before comparison. Until an official fix is available, users should monitor vendor communications for updates.