A major vulnerability (CVE-2026-5194) has been found in the wolfSSL library, impacting 5 billion devices, including routers, IoT gadgets, and military systems. Learn how this flaw allows hackers to forge digital IDs and why you should update to version 5.9.1 immediately.
A security vulnerability has been found in the wolfSSL library, a set of code used to encrypt data for about 5 billion devices and apps. Manufacturers use this tool to make sure that data moving between computers, routers, and even military systems stays private. Given its use in smart home sensors, games, and industrial tools, the exposure is considerable.
How the vulnerability works
The issue, tracked as CVE-2026-5194, is a flaw in how the library handles certificate-based authentication. This is a process where a device checks a digital ID to ensure a connection is safe. Nicholas Carlini, a researcher from Anthropic’s Frontier Red Team, noted that wolfSSL was failing to verify the size of the digest, which is like a digital fingerprint, and was not checking the OID.
The OID is a label that shows which math formula was used to sign the ID. Missing these checks can allow hackers to forge these IDs and trick a device into trusting a fake server or a malicious file.
According to the official security advisory, these missing checks allow digests smaller than allowed by FIPS 186-4 or 186-5 to be accepted by signature verification functions. This weakness reduces the security of the authentication process and affects multiple signature algorithms, including ECDSA/ECC, DSA, ML-DSA, ED25519, and ED448.
It is particularly dangerous for software builds that have both ECC and EdDSA or ML-DSA enabled during certificate verification. Red Hat gave the bug a severity score of 10 out of 10 because it doesn’t require a user to click on anything, whereas it received a 9.3 rating in the National Vulnerability Database.
The discovery
Nicholas Carlini first reported the flaw to the developers after using an AI-based scanning tool from Anthropic, known as Claude Mythos Preview (part of Project Glasswing. The library is used in a massive variety of industries, including the smart grid, car manufacturing, and aviation. While it is smaller than OpenSSL, which runs most of the web, wolfSSL is the go-to choice for smaller Internet of Things (IoT) gadgets.
Updating your devices
The vulnerability was patched by wolfSSL in version 5.9.1, released on 8 April 2026. The company has now made hash and digest size checks much stricter. But this issue may still not be fully resolved even though a patch is available. The main worry now is for older devices that are no longer supported by their makers.
Many routers, home appliances, or other older gadgets might never get an update, leaving them open to threat actors. Nevertheless, if you use a VPN or have smart home gadgets, install any available firmware updates to keep your hardware safe.
William Wright, CEO of Closed Door Security, shared the following comments with Hackread.com regarding this vulnerability, warning that wolfSSL’s widespread use turns this vulnerability into a major supply chain issue, as organisations often struggle to identify and patch all affected devices, especially unmonitored or outdated systems, which attackers frequently target.
Deeba Ahmed
