CVE-2026-6679 - wolfSSL DTLS 1.3 ACK serialization heap overflow

CVE-2026-6679 - wolfSSL DTLS 1.3 ACK serialization heap overflow - High - 2026-06-25

Business risk: Unauthenticated DTLS traffic can crash or corrupt memory in edge, IoT, and embedded services before peer authentication.

Root cause: ACK record-number list length is truncated before allocation, creating an undersized buffer that serialization overruns.

Affected versions

  • Vulnerable: wolfSSL 5.9.0 and earlier builds with DTLS 1.3 enabled.
  • Fixed / safe target: Upgrade wolfSSL to 5.9.1+ and rebuild all statically linked products.
  • CVSS: 7.5 (High)

Exact vulnerable code pattern

uint16_t len = ack_count * sizeof(uint64_t);
byte* out = XMALLOC(len, heap, DYNAMIC_TYPE_TMP_BUFFER);
for (i = 0; i < ack_count; i++) {
    c32toa(record_numbers[i], out + (i * sizeof(uint64_t)));
}

Fixed / mitigated code pattern

if (ack_count > (SIZE_MAX / sizeof(uint64_t))) {
    return BUFFER_E;
}
size_t len = ack_count * sizeof(uint64_t);
byte* out = XMALLOC(len, heap, DYNAMIC_TYPE_TMP_BUFFER);

Step-by-step integration guide

  1. Inventory wolfSSL packages, vendored source, submodules, and embedded SDKs.
  2. Upgrade to the vendor-fixed build and rebuild static consumers.
  3. Add protocol regression/fuzz coverage for the affected path.
  4. Deploy patched firmware/images and retire vulnerable artifacts.
  5. Document temporary network controls used during rollout.

Alternative mitigations

  • Block untrusted traffic to affected protocol endpoints.
  • Disable the affected protocol feature where possible.
  • Run affected services with process sandboxing and rate limits.

Detection signature

rg -n "wolfSSL|WOLFSSL_VERSION|libwolfssl|DTLS|ALPN|SNI|X509" .

Copy-paste skill block

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

Remediate CVE-2026-6679: wolfSSL DTLS 1.3 ACK serialization heap overflow.

Required output:
- A reviewer-ready PR with dependency/config/code changes, tests, and deployment notes; or
- TRIAGE.md if the affected runtime is outside this repository.

Steps:
1. Confirm exposure using the detection signature above.
2. Apply the fixed or mitigated pattern.
3. Add or run a regression test for the exploit shape.
4. Record commands, versions, and residual risk in the PR body.

Boundaries:
- Scope only CVE-2026-6679 and directly related hardening.
- Do not run destructive exploit payloads against production.
- Preserve existing behavior except for the vulnerable path.

Tags and revenue routing

  • Keywords: cve, wolfssl, tls, c, memory-safety, sellable_to_iot, zero_day_gold, high
  • Affected tech stack: c/cpp
  • Revenue tags: sellable_to_iot, zero_day_gold

References