Threat Intelligence Database

This vulnerability involves certificates with wildcard DNS Subject Alternative Names (SANs) bypassing Certificate Authority (CA) name-constraint checks. Specifically, a certificate containing a wildcard DNS SAN (e.g., *.example.com) that should be rejected due to the issuing CA's permitted or excluded DNS name constraints may be incorrectly accepted. This issue relates to improper enforcement of name constraints in certificate validation.

The PKCS#7 decode path ignores the caller-supplied output buffer size (outputSz), allowing decoded content to be written past the bounds of the provided buffer. This affects wolfSSL 5.9.0 and earlier and was fixed in the 5.9.1 release.

A heap buffer overflow vulnerability exists in the DTLS 1.3 ACK serialization path of wolfSSL versions 5.9.0 and earlier. The issue arises from an integer truncation error when calculating the length of the ACK record-number list, leading to allocation of an undersized buffer that is subsequently overrun. This vulnerability was fixed in wolfSSL version 5.9.1.

This vulnerability involves a bypass of IP address name constraints in WOLFSSL when the WOLFSSL_IP_ALT_NAME configuration is not defined. In this configuration, IP address constraints specified by the issuing Certificate Authority (CA) are not enforced, allowing certificates to bypass these restrictions. No specific affected versions are stated. There is no known exploit in the wild, and no patch or official remediation has been indicated.