CVE-2026-3229 in wolfSSL
Summary
by MITRE • 03/20/2026
An integer overflow vulnerability existed in the static function wolfssl_add_to_chain, that caused heap corruption when certificate data was written out of bounds of an insufficiently sized certificate buffer. wolfssl_add_to_chain is called by these API: wolfSSL_CTX_add_extra_chain_cert, wolfSSL_CTX_add1_chain_cert, wolfSSL_add0_chain_cert. These API are enabled for 3rd party compatibility features: enable-opensslall, enable-opensslextra, enable-lighty, enable-stunnel, enable-nginx, enable-haproxy. This issue is not remotely exploitable, and would require that the application context loading certificates is compromised.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/26/2026
The integer overflow vulnerability identified in CVE-2026-3229 resides within the wolfSSL library's static function wolfssl_add_to_chain which operates as a critical component in certificate chain management. This flaw manifests when processing certificate data through the affected API functions including wolfSSL_CTX_add_extra_chain_cert, wolfSSL_CTX_add1_chain_cert, and wolfSSL_add0_chain_cert. The vulnerability stems from insufficient input validation and buffer size calculations that fail to properly handle integer overflow conditions during certificate buffer allocation. When certificate data exceeds the allocated buffer boundaries, heap corruption occurs due to out-of-bounds memory writes that can overwrite adjacent memory regions. The issue is classified under CWE-190 as an integer overflow condition where the computation of buffer size fails to account for potential overflow scenarios, leading to memory corruption vulnerabilities.
The operational impact of this vulnerability extends across multiple third-party compatibility features enabled through configuration options such as enable-opensslall, enable-opensslextra, enable-lighty, enable-stunnel, enable-nginx, and enable-haproxy. These features indicate that the vulnerability affects widely deployed web server and proxy configurations that rely on wolfSSL for secure communications. The attack vector requires local compromise of the application context loading certificates, meaning an attacker must already have access to the system or application to exploit this vulnerability. This limitation reduces the remote exploit potential but does not eliminate the threat, as the vulnerability can be leveraged by attackers who have achieved initial system compromise through other means. The heap corruption resulting from this integer overflow can lead to denial of service conditions, application crashes, or potentially more severe memory corruption that could be exploited for privilege escalation or code execution within the compromised application context.
Mitigation strategies for CVE-2026-3229 should prioritize immediate patching of affected wolfSSL versions to address the integer overflow in wolfssl_add_to_chain function. System administrators should implement strict input validation for certificate data and monitor certificate chain operations for anomalous behavior that might indicate exploitation attempts. The vulnerability aligns with ATT&CK technique T1059.007 for command and scripting interpreter, as exploitation could involve crafting malicious certificate data to trigger the overflow condition. Organizations should also consider implementing memory protection mechanisms such as stack canaries and address space layout randomization to mitigate potential exploitation. Security monitoring should focus on detecting unusual certificate loading patterns and memory access violations that could indicate heap corruption attempts. Additionally, maintaining up-to-date security patches for all components that utilize wolfSSL, including nginx, stunnel, haproxy, and other compatible software, is essential for comprehensive protection against this vulnerability and similar integer overflow conditions that could exist in related cryptographic libraries.