CVE-2026-5263 HIGH

CVE-2026-5263: URI nameConstraints not enforced in ConfirmNameConstraints()

Vendor Wolfssl
Product wolfSSL
Weakness CWE-295
Published April 9, 2026
Last update April 10, 2026

CVSS base score

7.0/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:L/VA:N/SC:H/SI:N/SA:N

What the vulnerability does

01Description

URI nameConstraints from constrained intermediate CAs are parsed but not enforced during certificate chain verification in wolfcrypt/src/asn.c. A compromised or malicious sub-CA could issue leaf certificates with URI SAN entries that violate the nameConstraints of the issuing CA, and wolfSSL would accept them as valid.

Key dates

02Disclosure timeline

April 9, 2026 CVE published
April 10, 2026 Record updated