Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Critical

Certificate forgery in wolfSSL ECDSA certificate verification

IdentifiersCVE-2026-5194CWE-295· Improper Certificate Validation

CVE-2026-5194 is a critical cryptographic validation flaw in wolfSSL affecting certificate signature verification. wolfSSL failed to enforce required hash/digest size checks and associated algorithm OID checks, allowing signature verification functions to accept digests smaller than permitted by FIPS 186-4/186-5 or smaller than appropriate for the relevant key type. The issue is described as affecting ECDSA/ECC certificate verification, particularly in configurations where EdDSA or ML-DSA is also enabled; supporting content also states the broader verification logic impacts multiple signature algorithms including DSA, ML-DSA, ED25519, and ED448. As a result, malformed or forged certificates/signatures using undersized digests may be accepted as valid, weakening certificate-based authentication and enabling certificate forgery scenarios.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can reduce the effective security of certificate-based authentication and allow acceptance of forged certificates or signatures. In practical terms, this can let an attacker impersonate trusted services such as banks, email providers, or other TLS-protected endpoints, causing clients or devices to trust malicious servers, connections, or signed objects. The advisory notes the risk is especially relevant if the public CA key used is known. Depending on deployment, this can enable man-in-the-middle positioning, service impersonation, and trust subversion across embedded, IoT, industrial, and other systems using wolfSSL for certificate validation.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, prioritize systems that perform certificate verification with ECC enabled alongside EdDSA or ML-DSA, as these are specifically called out as affected. Reduce exposure by limiting trust to necessary CA roots, monitoring for anomalous certificate chains or unexpected service certificates, and accelerating firmware/package updates from downstream vendors. Because this is a library-level certificate validation flaw, mitigation short of patching is limited; replacing or disabling affected verification paths where feasible is advisable until updates are applied.

Remediation

Patch, then assume compromise.

Upgrade wolfSSL to version 5.9.1 or later. The vendor advisory states affected versions are 3.12.0 through versions prior to 5.9.1, and the issue was fixed in wolfSSL pull request 10131. Organizations should also obtain patched downstream packages, firmware, SDKs, or vendor builds where wolfSSL is bundled indirectly, and verify that certificate-validation paths in deployed products incorporate the fixed library.
PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.

VALID 0 / 1 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
WolfsslWolfsslapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

34 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

34 SOURCESView more in app
cysecurity newsNews
Jun 2, 2026
Anthropic's Mythos Preview Detects Over 10,000 Software Bugs in Project Glassing - CySecurity News - Latest Information Security and Hacking Incidents

A vulnerability in the wolfSSL cryptographic library that could have allowed attackers to create fake certificates and host spoofed sites for targets such as email providers or banks.

Read more
hackreadNews
May 26, 2026
Claude Mythos AI Identified 10,000+ Software Vulnerabilities in One Month

A critical certificate forgery vulnerability in the wolfSSL open-source security library that could allow attackers to forge digital identities and enable convincing fake websites.

Read more
ghacksNews
May 26, 2026
Anthropic Plans Public Release of Mythos-Class AI Bug Finder Once Safeguards Are Ready - gHacks Tech News

A critical vulnerability in the wolfSSL cryptography library that could allow attackers to forge certificates and impersonate trusted services such as banks or email providers.

Read more
security affairsNews
May 24, 2026
Anthropic's Glasswing: 10,000+ Vulnerabilities Found in One Month, and the Patching Problem Has Never Been More Obvious

A critical WolfSSL vulnerability that could allow attackers to forge certificates and impersonate legitimate services, undermining trust in encrypted communications.

Read more
+8 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity22

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-5194
NVD
nvd.nist.gov/vuln/detail/CVE-2026-5194
MITRE CWE · CWE-295
Improper Certificate Validation
Issue Tracking
github.com/wolfSSL/wolfssl/pull/10131
anthropic.com
anthropic.com/research/glasswing-initial-update