CVE-2024-5991

Buffer overread in domain name matching

Description

In function MatchDomainName(), input param str is treated as a NULL terminated string despite being user provided and unchecked. Specifically, the function X509_check_host() takes in a pointer and length to check against, with no requirements that it be NULL terminated. If a caller was attempting to do a name check on a non-NULL terminated buffer, the code would read beyond the bounds of the input array until it found a NULL terminator.This issue affects wolfSSL: through 5.7.0.

Remediation

Solution:

  • Fixed in the following github pull request  https://https://github.com/wolfSSL/wolfssl/pull/7604

Category

10.0
CVSS
Severity: Critical
CVSS 4.0 •
CVSS 3.1 •
EPSS 0.04%
Affected: wolfSSL wolfSSL
Published at:
Updated at:

References

Link Tags
https://https://github.com/wolfSSL/wolfssl/pull/7604 broken link
https://github.com/wolfSSL/wolfssl/pull/7604 issue tracking patch

Frequently Asked Questions

What is the severity of CVE-2024-5991?
CVE-2024-5991 has been scored as a critical severity vulnerability.
How to fix CVE-2024-5991?
To fix CVE-2024-5991: Fixed in the following github pull request  https://https://github.com/wolfSSL/wolfssl/pull/7604
Is CVE-2024-5991 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-5991 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-5991?
CVE-2024-5991 affects wolfSSL wolfSSL.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.