A critical vulnerability in the wolfSSL library enables attackers to use forged certificates to bypass security checks on billions of devices. The flaw, tracked as CVE-2026-5194, stems from improper verification of hash algorithm sizes during ECDSA signature checks.
Researchers warn that the bug allows an attacker to force a target application or device to accept fraudulent certificates for malicious connections. Because wolfSSL is used in over 5 billion applications—including IoT devices, industrial control systems, and automotive software—the potential attack surface is massive.
Nicholas Carlini of Anthropic discovered the vulnerability. The flaw affects several signature algorithms, including ECDSA/ECC, DSA, ML-DSA, Ed25519, and Ed448.
Forged digital identities
According to the wolfSSL security advisory, the library fails to perform necessary checks on the hash/digest size and Object Identifier (OID). This allows digests smaller than the cryptographically required size to be accepted during verification.
"This could lead to reduced security of ECDSA certificate-based authentication if the public CA [certificate authority] key used is also known," the advisory stated.
Security researcher Lukasz Olejnik noted that exploitation could trick vulnerable systems into accepting a "forged digital identity as genuine." This could lead a device to trust a malicious server, file, or connection that should have been rejected.
An attacker can exploit this by providing a forged certificate with a smaller digest than is appropriate for the key type. This makes the signature much easier to falsify or reproduce.
WolfSSL released version 5.9.1 on April 8 to address the issue. Developers and system administrators using builds with both ECC and EdDSA or ML-DSA active should upgrade immediately.
Administrators relying on downstream vendor packages, such as Linux distribution updates or embedded SDKs, should monitor vendor-specific advisories for patches. Red Hat has already issued an advisory regarding the flaw, noting that its MariaDB implementation is not affected because it utilizes OpenSSL instead of wolfSSL.
