CVE-2026-5187
Published: 09 April 2026
Summary
CVE-2026-5187 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Wolfssl Wolfssl. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates identification, reporting, and patching of flaws like the heap out-of-bounds write in wolfSSL's DecodeObjectId(), with patches available via the wolfSSL repository.
Requires validation of information inputs such as crafted Object Identifiers (OIDs) to block malformed ASN.1 data that triggers the bounds check failure and buffer overrun.
Implements memory protection mechanisms like ASLR and DEP to mitigate exploitation of the heap buffer overflow even if unpatched.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated network exploit with no user interaction in wolfSSL ASN.1 parsing enables arbitrary code execution via public-facing application exploitation.
NVD Description
Two potential heap out-of-bounds write locations existed in DecodeObjectId() in wolfcrypt/src/asn.c. First, a bounds check only validates one available slot before writing two OID arc values (out[0] and out[1]), enabling a 2-byte out-of-bounds write when outSz equals 1. Second, multiple…
more
callers pass sizeof(decOid) (64 bytes on 64-bit platforms) instead of the element count MAX_OID_SZ (32), causing the function to accept crafted OIDs with 33 or more arcs that write past the end of the allocated buffer.
Deeper analysisAI
CVE-2026-5187 is a critical heap out-of-bounds write vulnerability in the wolfSSL cryptographic library, specifically within the DecodeObjectId() function in wolfcrypt/src/asn.c. The issue manifests in two ways: first, a bounds check validates only one available slot before writing two OID arc values to out[0] and out[1], permitting a 2-byte out-of-bounds write when outSz equals 1. Second, multiple callers supply sizeof(decOid)—64 bytes on 64-bit platforms—instead of the element count MAX_OID_SZ (32), allowing the function to process crafted OIDs with 33 or more arcs that overrun the allocated buffer. It is associated with CWE-122 and CWE-787.
Remote unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction, as indicated by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By supplying maliciously crafted Object Identifiers (OIDs) to affected wolfSSL deployments, attackers can trigger heap buffer overflows, potentially achieving high-impact confidentiality, integrity, and availability violations such as arbitrary code execution, memory corruption, or denial-of-service.
Mitigation details and patches are available via the wolfSSL GitHub repository at https://github.com/wolfSSL/wolfssl.
Details
- CWE(s)