CVE-2026-5194
Published: 09 April 2026
Summary
CVE-2026-5194 is a critical-severity Improper Certificate Validation (CWE-295) vulnerability in Wolfssl Wolfssl. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Machine Learning Libraries.
The strongest mitigations our analysis identified are NIST 800-53 SC-17 (Public Key Infrastructure Certificates) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely remediation of the specific flaw in wolfSSL's ECDSA signature verification through patching.
Requires establishment and validation of PKI certificates, directly addressing weaknesses in ECDSA certificate signature verification.
Mandates secure implementation of cryptographic operations, including proper signature verification to prevent acceptance of invalid digests.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote network exploitation (AV:N) with no privileges or user interaction to bypass ECDSA certificate-based authentication due to missing digest/OID checks in wolfSSL, directly facilitating initial access via exploitation of public-facing applications.
NVD Description
Missing hash/digest size and OID checks allow digests smaller than allowed when verifying ECDSA certificates, or smaller than is appropriate for the relevant key type, to be accepted by signature verification functions. This could lead to reduced security of ECDSA…
more
certificate-based authentication if the public CA key used is also known. This affects ECDSA/ECC verification when EdDSA or ML-DSA is also enabled.
Deeper analysisAI
CVE-2026-5194 is a vulnerability in the wolfSSL cryptographic library stemming from missing hash/digest size and OID checks in ECDSA signature verification functions. These omissions allow digests smaller than permitted or appropriate for the relevant key type to be accepted during ECDSA certificate verification. The flaw reduces the security of ECDSA certificate-based authentication if the public CA key is known and specifically affects ECDSA/ECC verification when EdDSA or ML-DSA is also enabled. It is classified under CWE-295 with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
Remote attackers require no privileges or user interaction to exploit this over the network with low complexity. Exploitation weakens ECDSA signature validation, potentially enabling attackers to bypass authentication mechanisms in affected systems using wolfSSL for certificate verification, leading to high impacts on confidentiality and integrity.
A pull request addressing the issue is available at https://github.com/wolfSSL/wolfssl/pull/10131, which security practitioners should review and apply to mitigate the vulnerability.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Machine Learning Libraries
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ml