An emergency patch has been released for wolfSSL, a critical security component that handles TLS encryption in five billion everyday devices and apps, from smartphones to routers. Many outdated devices might never get a patch.
Attackers have found a way to forge digital signatures and pass them as genuine, making their fraudulent servers, files, or connections appear legitimate when they should be rejected.
The critically important library accepts certificates without properly verifying if they meet minimum cryptographic strength requirements, such as the hash (cryptographic fingerprint) strength, and digest (the output of the hashing process) size. It doesn’t even verify if the OID (Object Identifier, a label declaring which signing algorithm was used) was actually used to produce the signature.
WolfSSL disclosed the critical vulnerability that requires instant patching.
“Missing hash/digest size and OID checks allow digests smaller than allowed by FIPS 186-4 or 186-5 (as appropriate), or smaller than is appropriate for the relevant key type, to be accepted by signature verification functions, reducing the security of certificate-based authentication,” the security advisory reads.
The bug, labeled CVE-2026-5194, carries a 9.3 out of 10 severity rating in the National Vulnerability Database. However, Red Hat’s independent assessment pushes it to a perfect 10.
The bug affects multiple modern signature algorithms, including ECDSA/ECC, DSA, ML-DSA, ED25519, and ED448. WolfSSL credited security researcher Nicholas Carlini from Anthropic for reporting the issue.
According to WolfSSL, their library is used in five billion products, including the smart grid, standard, industrial automation, connected home, machine-to-machine, auto industry, games, applications, databases, sensors, VoIP, routers, appliances, cloud services, government, military, aviation, and more.
Home users might unknowingly rely on it while using VPN apps or home routers.
“CVE-2026-5194 could let a device or application accept a forged digital identity as genuine, trusting a malicious server, file, or connection it should have rejected,” explains Lukasz Olejnik, a security and privacy researcher.
Red Hat warns that the cyberattack is low-complexity and requires no privileges or user interaction. Attackers can use invalid or forged certificates to spoof trusted entities and interfere in the communication path between the host and client.
WolfSSL patched the bug in version 5.9.1, and urges developers using the library to update to the latest release. The update adds additional checks and enforcements for hash and digest sizes, as well as OID agreement checks.
The bigger concern is that older and discontinued devices may never receive this patch and continue to work normally, while remaining silently vulnerable. Manufacturers may never release fixes, and even if they do, many users never apply required firmware updates.
While significant, wolfSSL isn’t the most popular TLS library, and OpenSSL is far more dominant. The lightweight WolfSSL is more commonly used in embedded and IoT applications, while OpenSSL powers mainstream web infrastructure.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked