CVE-2026-3547
Published: 19 March 2026
Summary
CVE-2026-3547 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Wolfssl Wolfssl. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely identification, reporting, and remediation of flaws such as the out-of-bounds read in wolfSSL's ALPN parsing to prevent DoS exploitation.
Mandates validation of untrusted inputs like crafted ALPN protocol lists during TLS handshakes to block out-of-bounds reads.
Ensures graceful error handling in ALPN parsing to prevent process crashes from invalid inputs without compromising availability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of public-facing TLS service (wolfSSL in servers like nginx/haproxy) via crafted ALPN data during handshake directly enables T1190; resulting process crash matches T1499.004 Application or System Exploitation for DoS.
NVD Description
Out-of-bounds read in ALPN parsing due to incomplete validation. wolfSSL 5.8.4 and earlier contained an out-of-bounds read in ALPN handling when built with ALPN enabled (HAVE_ALPN / --enable-alpn). A crafted ALPN protocol list could trigger an out-of-bounds read, leading to…
more
a potential process crash (denial of service). Note that ALPN is disabled by default, but is enabled for these 3rd party compatibility features: enable-apachehttpd, enable-bind, enable-curl, enable-haproxy, enable-hitch, enable-lighty, enable-jni, enable-nginx, enable-quic.
Deeper analysisAI
CVE-2026-3547 is an out-of-bounds read vulnerability (CWE-125) in the ALPN parsing code of the wolfSSL cryptographic library, affecting versions 5.8.4 and earlier. The flaw stems from incomplete validation during ALPN handling when the library is built with ALPN enabled (HAVE_ALPN or --enable-alpn). ALPN is disabled by default but automatically enabled for third-party compatibility features including enable-apachehttpd, enable-bind, enable-curl, enable-haproxy, enable-hitch, enable-lighty, enable-jni, enable-nginx, and enable-quic. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A remote, unauthenticated attacker can exploit this vulnerability by transmitting a specially crafted ALPN protocol list to a vulnerable wolfSSL instance during a TLS handshake. Successful exploitation triggers the out-of-bounds read, which can cause the affected process to crash, resulting in a denial-of-service condition with high availability impact.
The wolfSSL project has released a fix for this issue via pull request https://github.com/wolfSSL/wolfssl/pull/9859, which security practitioners should review and apply when rebuilding wolfSSL with ALPN support enabled.
Details
- CWE(s)