Cyber Resilience

CVE-2026-5447

Medium

Published: 09 April 2026

Published
09 April 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score v4 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0022 12.8th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-5447 is a medium-severity Heap-based Buffer Overflow (CWE-122) vulnerability. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-5447 is a heap buffer overflow vulnerability in the wolfSSL library, specifically within the CertFromX509 function. The issue arises from incorrect size handling of the AuthorityKeyIdentifier extension during internal conversion of X.509 certificates, classified under CWE-122.

An attacker capable of supplying a malicious X.509 certificate to an application using the affected wolfSSL component can trigger the heap buffer overflow during certificate processing.

The wolfSSL project has released a fix for this vulnerability via pull request #10112 on GitHub, which corrects the size handling of the AuthorityKeyIdentifier extension. Security practitioners should apply this patch to mitigate the issue.

EU & UK References

Vulnerability details

Heap buffer overflow in CertFromX509 via AuthorityKeyIdentifier size confusion. A heap buffer overflow occurs when converting an X.509 certificate internally due to incorrect size handling of the AuthorityKeyIdentifier extension.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Heap buffer overflow in X.509 cert parsing enables remote code execution via malicious certificate supply, directly facilitating exploitation against public-facing apps (T1190), client-side execution (T1203), or privilege escalation (T1068).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-47311Shared CWE-122
CVE-2025-49673Shared CWE-122
CVE-2026-3557Shared CWE-122
CVE-2026-44050Shared CWE-122
CVE-2026-6296Shared CWE-122
CVE-2025-53853Shared CWE-122
CVE-2026-7353Shared CWE-122
CVE-2026-35421Shared CWE-122
CVE-2025-21411Shared CWE-122
CVE-2025-53557Shared CWE-122

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patch that corrects AuthorityKeyIdentifier size handling in CertFromX509.

prevent

Enforces validation of certificate extension lengths before internal X.509 conversion, blocking the malformed input that triggers the heap overflow.

prevent

Requires memory-protection mechanisms that can prevent or contain exploitation of the resulting heap buffer overflow.

References