Bug 2457041 (CVE-2026-5194)

Summary: CVE-2026-5194 wolfSSL: wolfSSL: Reduced security of ECDSA authentication via missing digest size checks
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in wolfSSL. Missing hash/digest size and Object Identifier (OID) checks allow the acceptance of smaller, less secure digests during the verification of Elliptic Curve Digital Signature Algorithm (ECDSA) certificates. This could enable a remote attacker, with knowledge of the public Certificate Authority (CA) key, to weaken the security of ECDSA certificate-based authentication. The vulnerability affects ECDSA/ECC verification when EdDSA or ML-DSA are also enabled.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-04-09 20:02:39 UTC
Missing hash/digest size and OID checks allow digests smaller than allowed when verifying ECDSA certificates, or smaller than is appropriate for the relevant key type, to be accepted by signature verification functions. This could lead to reduced security of ECDSA certificate-based authentication if the public CA key used is also known. This affects ECDSA/ECC verification when EdDSA or ML-DSA is also enabled.