CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-10098

mediumCVSS 5.3covered by 2 sourcesfirst seen 2026-06-09
OCSP CertID serial-number length-confusion in wolfSSL_OCSP_resp_find_status allows a same-issuer SingleResponse whose serial is a prefix of the target serial to be reported as the revocation status of a different certificate. The lookup compared serial-number bytes without first requiring the two serial numbers to be of equal length, so a SingleResponse for one certificate (same issuer) whose serial is a prefix of the target's serial would match, returning the wrong certificate's status. The fix requires the serial lengths to be equal before comparing the serial bytes.

CSIRTS triage

What
This vulnerability involves a length-confusion issue in OCSP CertID serial-number handling.
Who is affected
Deployments using wolfSSL for OCSP responses.
Urgency
Remediation is medium urgency due to the medium severity rating.
Action
Update wolfSSL to the latest version.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch CVE-2026-10098

Get an email if CVE-2026-10098 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (2)

External references

NVD record for CVE-2026-10098

CVE.org record

Embed the live status

CVE-2026-10098 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-10098 status](https://www.csirts.com/badge/CVE-2026-10098)](https://www.csirts.com/cve/CVE-2026-10098)