A critical cryptographic validation flaw in the wolfSSL TLS/SSL library (CVE-2026-5194) can accept improperly small hash digests during ECDSA and related signature verification, allowing forged certificates to be trusted. Researchers warn attackers could exploit this to make vulnerable devices and applications accept malicious servers or connections, so affected users should upgrade to wolfSSL 5.9.1 or follow vendor advisories promptly. #wolfSSL #CVE-2026-5194
Keypoints
- CVE-2026-5194 is a validation flaw in wolfSSL that permits smaller-than-appropriate digests during signature checks.
- The issue affects multiple signature algorithms including ECDSA/ECC, DSA, ML-DSA, Ed25519, and Ed448.
- An attacker could exploit the bug to present forged certificates and trick devices or applications into trusting malicious servers or connections.
- wolfSSL patched the flaw in version 5.9.1 (released April 8); organizations should apply updates or consult downstream vendor advisories.
- Exploitation may depend on deployment-specific conditions, so administrators should review builds, vendor packages, and firmware for exposure.