CVE-2024-5991

Name of the Vulnerable Software and Affected Versions wolfSSL versions through 5.7.0

Description The issue is related to the function MatchDomainName() in the wolfSSL library, where the input parameter str is treated as a NULL terminated string despite being user-provided and unchecked. This can lead to an out-of-bounds read when dealing with non-NULL terminated strings in the function X509 check host(). The problem may allow a remote attacker to impact the availability of protected information.

Recommendations For wolfSSL versions through 5.7.0, as a temporary workaround, consider disabling the MatchDomainName() function until a patch is available. Restrict access to the X509 check host() function to minimize the risk of exploitation. Avoid using non-NULL terminated strings in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.