A maximum-severity cryptographic flaw in the widely deployed wolfSSL library, tracked as CVE-2026-5194, enables attackers to bypass ECDSA certificate-based authentication by omitting validation checks for digest size and OID, threatening an estimated 1 billion devices across critical infrastructure, automotive systems, VPN platforms, and military communications.
CVE-2026-5194 is a Critical-severity improper certificate validation vulnerability (CWE-295) residing in wolfSSL’s ECDSA signature verification functions.
The flaw arises because wolfSSL fails to enforce minimum hash/digest size requirements and Object Identifier (OID) validation during the ECDSA certificate verification process.
As a result, cryptographically undersized digests smaller than what FIPS 186-4 or 186-5 standards permit are silently accepted by the signature verification logic, allowing forged digital identities to pass as legitimate.
The vulnerability was publicly disclosed on April 9, 2026, and carries a CVSSv3 score of 10.0 (Red Hat assessment) and a CVSSv4 base score of 9.3, placing it in the highest severity tier. Red Hat assigned Bugzilla ID 2457041 and flagged the issue under its Hardened Images product state, confirming exposure at the enterprise level.
The vulnerability was discovered by Nicholas Carlini, a researcher at Anthropic, and is among the first critical CVEs attributed to AI-assisted security research.
wolfSSL confirmed the fix took just one day to implement after the report was received, underscoring the clarity and precision of the disclosure. The fix was merged via GitHub Pull Request #10131 and addressed in the official wolfSSL 5.9.1 release.
The root cause lies in the ECDSA verification code path. When wolfSSL builds include both ECC/ECDSA and either EdDSA or ML-DSA, the library fails to validate that incoming digests meet minimum size thresholds or carry correct OIDs before passing them to the signature verification function.
This is not limited to ECDSA. According to wolfSSL’s official security advisory, the affected signature algorithms include:
The attack vector is Network-based, with Low Attack Complexity, No Privileges Required, and No User Interaction needed, matching the worst-case CVSSv4 exploitability profile.
An attacker who also knows the target’s public CA key could craft a certificate with a downgraded digest, causing wolfSSL to accept it as valid. This enables a malicious server, file, or TLS connection to impersonate a trusted identity without detection.
The CVSS:4.0 vector is: AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:L/SA:L indicating High Confidentiality and Integrity impact on the vulnerable system, and High Confidentiality impact on subsequent systems.
Scope of Impact: Billions of Devices at Risk
wolfSSL markets itself as the world’s most widely used embedded TLS/SSL library and claims its software runs on billions of devices globally. The library is deployed across:
- Consumer and enterprise VPN applications
- Home and commercial routers and IoT hardware
- Automotive ECUs and connected vehicle platforms
- Power grid and industrial control systems (ICS/SCADA)
- Military communications and defense systems
- Cloud-native services and containerized workloads
Tenable researchers flagged that multiple Linux distribution packages remain unpatched, confirming that the vulnerability extends beyond embedded environments into mainstream server and desktop deployments. Ubuntu’s security tracker has also acknowledged the CVE.
Conditions That Trigger the Vulnerability
Not every wolfSSL deployment is equally exposed. The vulnerable code path is activated specifically when:
- The wolfSSL build has ECC/ECDSA enabled, AND
- Either EdDSA (ED25519/ED448) or ML-DSA is also compiled into the same build
- The deployment performs certificate verification using those algorithms
Deployments that use only ECDSA without EdDSA or ML-DSA in the same build are less directly affected, but wolfSSL strongly recommends all users upgrade regardless of configuration.
Patch and Mitigation Guidance
wolfSSL 5.9.1 contains the official patch. The fix adds proper digest size validation and OID enforcement in the signature verification code path, ensuring undersized or improperly identified digests are rejected before reaching the verification function.
For organizations that cannot patch immediately, the following interim mitigations are recommended:
- Disable EdDSA and ML-DSA in the wolfSSL build configuration to prevent triggering the vulnerable code path
- Implement certificate pinning at the application layer to restrict accepted certificates to explicitly trusted entities
- Deploy TLS inspection proxies that perform independent certificate chain validation
- Restrict network exposure of services relying on wolfSSL-based authentication until patching is complete
Red Hat advises that organizations running affected Hardened Images review their exposure and apply available updates through official channels.
Industry Reaction and Context
Security analyst Lukasz Olejnik noted on X that CVE-2026-5194 is particularly significant because it affects all signature verification algorithms in wolfSSL, not just ECDSA, broadening the real-world attack surface substantially.
The GitHub Security Advisory Database (GHSA-f5h9-5q52-qrx7) classifies the vulnerability as unreviewed, with no affected package explicitly listed, which may slow automated patching workflows in environments that rely on package-level vulnerability scanners.
Given the library’s prevalence in embedded and critical infrastructure segments, known for long patching cycles and limited update mechanisms, the window of exposure could remain open for months or years in operational technology (OT) environments, even after the patch is widely available.
CVE-2026-5194 Quick Reference
| Field | Detail |
|---|---|
| CVE ID | CVE-2026-5194 |
| GHSA ID | GHSA-f5h9-5q52-qrx7 |
| Severity | Critical |
| CVSSv3 Score | 10.0 (Red Hat) |
| CVSSv4 Score | 9.3 |
| CWE | CWE-295 (Improper Certificate Validation) |
| Affected Library | wolfSSL (all versions prior to 5.9.1) |
| Fixed Version | wolfSSL 5.9.1 |
| Disclosed | April 9, 2026 |
| Reporter | Nicholas Carlini, Anthropic |
Frequently Asked Questions (FAQ)
Q1: What is CVE-2026-5194?
A critical wolfSSL flaw (CVSSv3 10.0) where missing digest size and OID checks allow undersized, potentially forged digests to pass ECDSA signature verification, enabling certificate authentication bypass.
Q2: Which wolfSSL version fixes CVE-2026-5194?
wolfSSL version 5.9.1 contains the official patch that adds proper hash/digest size validation and OID enforcement in all affected signature verification code paths.
Q3: Am I affected if I only use ECDSA without EdDSA or ML-DSA?
The vulnerable code path is triggered when both ECC/ECDSA and EdDSA or ML-DSA are enabled in the same wolfSSL build during certificate verification.
Q4: Who discovered CVE-2026-5194?
Nicholas Carlini, a researcher at Anthropic, discovered and responsibly disclosed the flaw, making it a landmark AI-assisted critical vulnerability discovery in cryptographic library security.
Site: thecybrdef.com
About the Author
