CVE-2026-10592 in wolfSSL
Summary
by MITRE • 06/25/2026
Certificates with wildcard DNS SANs (e.g. *.example.com) bypassed CA name-constraint checks. A certificate with a wildcard DNS SAN that should be rejected by the issuing CA's permitted/excluded DNS name constraints could be accepted.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/26/2026
This vulnerability represents a critical flaw in certificate authority validation processes that undermines the fundamental security model of public key infrastructure. The issue occurs when certificate authorities fail to properly enforce name constraints on certificates containing wildcard dns subject alternative names, specifically those matching patterns like *.example.com. This weakness allows malicious actors to obtain certificates that should have been rejected based on the issuing CA's configured permitted or excluded dns name constraints. The technical flaw stems from improper parsing or validation logic within the certificate issuance pipeline where wildcard dns entries are not adequately compared against the established name constraint boundaries. This creates a scenario where an attacker could potentially obtain a certificate for a domain they shouldn't be authorized to control, effectively bypassing the intended scope limitations that name constraints are designed to enforce.
The operational impact of this vulnerability extends far beyond simple certificate validation failures and represents a significant threat to trust infrastructure integrity. When a certificate authority accepts wildcard dns entries that violate established name constraints, it creates opportunities for impersonation attacks where malicious actors can obtain certificates for domains within the constrained scope but outside the intended authorization boundaries. This weakness directly impacts the core principle of certificate authorities acting as trusted intermediaries that validate domain ownership and enforce security policies. The vulnerability enables potential man-in-the-middle attacks, cross-site scripting scenarios, and other advanced persistent threats where attackers leverage these improperly validated certificates to establish fraudulent trust relationships with legitimate systems.
From a cybersecurity framework perspective, this vulnerability maps directly to CWE-295 which specifically addresses improper certificate validation and weak certificate chain validation. The issue also correlates with ATT&CK technique T1553.003 related to subvert trust controls and T1553.004 for code signing certificate abuse. The flaw demonstrates a critical failure in the certificate authority's implementation of name constraint enforcement, where wildcard dns entries are not properly normalized or compared against the constraint boundaries during validation. This weakness is particularly dangerous because it operates at the root of trust infrastructure, allowing attackers to exploit the very controls designed to prevent unauthorized certificate issuance.
Effective mitigations for this vulnerability require comprehensive updates to certificate authority validation logic and implementation practices. Certificate authorities must ensure that wildcard dns subject alternative names undergo proper normalization before name constraint evaluation, including handling of domain label matching and wildcard expansion. The implementation should enforce strict comparison rules where a wildcard entry like *.example.com would be validated against both permitted and excluded name constraints, ensuring that the base domain structure matches the constraint boundaries. Organizations should implement automated monitoring systems to detect and alert on certificate issuance patterns that might indicate this vulnerability, while also conducting regular audits of certificate authority configurations to ensure proper name constraint enforcement.
Security practitioners should consider implementing additional validation layers beyond the basic certificate authority checks, including independent verification of certificate constraints using tools that can properly analyze wildcard dns entries against name constraint boundaries. The fix requires careful attention to how wildcards are processed during validation, ensuring that certificate authorities properly understand that *.example.com is not equivalent to example.com or any subdomain of example.com when evaluating name constraints. This vulnerability underscores the critical importance of proper certificate authority implementation and the need for continuous security assessment of trust infrastructure components to prevent exploitation through seemingly simple validation oversights.