wolfSSL ECDSA flaw lets attackers forge certificates across 5B+ devices

A critical cryptographic validation flaw in wolfSSL (CVE-2026-5194) lets attackers bypass certificate verification by exploiting missing hash digest size and OID checks. The library accepts digests smaller than cryptographically appropriate for the key type, weakening ECDSA authentication to the point where forged certificates can pass as legitimate. The bug extends beyond ECDSA to DSA, ML-DSA, Ed25519, and Ed448 signature paths.

The blast radius is substantial. wolfSSL is embedded in IoT gear, industrial control systems, routers, automotive platforms, and aerospace hardware — the project claims deployment across more than 5 billion applications and devices. Exploitation requires supplying a forged certificate with an undersized digest, letting an attacker impersonate trusted servers or sign malicious payloads that vulnerable clients will accept.

The flaw was reported by Anthropic researcher Nicholas Carlini and patched in wolfSSL 5.9.1 on April 8. Operators running distro packages, vendor firmware, or embedded SDKs should track downstream advisories rather than assume upstream patches have propagated — Red Hat rated the flaw maximum severity but confirmed MariaDB is unaffected because it links against OpenSSL.