Arbitrary Free Vulnerability in wolfSSL Product by wolfSSL
CVE-2026-5507

4.1MEDIUM

Key Information:

Vendor: Wolfssl
Status: Wolfssl
Vendor: CVE Published:; 9 April 2026

What is CVE-2026-5507?

When restoring a session from cache in wolfSSL, the software uses a pointer derived from serialized session data in an unsafe free operation, which lacks proper validation checks. This vulnerability allows an attacker to poison the session cache and may lead to arbitrary memory free through crafted session data injection and exploit specific session restore APIs. It's crucial for users of wolfSSL to monitor the situation and apply necessary updates to prevent potential exploitation.

Affected Version(s)

wolfSSL 0 <= 5.9.0

References

https://github.com/wolfSSL/wolfssl/pull/10088

CVSS V4

Score:

4.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2026
Vulnerability Reserved
Apr 3, 2026

Credit

Sunwoo Lee (Korea Institute of Energy Technology, KENTECH)

Woohyun Choi (Korea Institute of Energy Technology, KENTECH)

Seunghyun Yoon (Korea Institute of Energy Technology, KENTECH)

CVE-2026-5507 Data

JSON