JLSEC-2026-702

Source
https://github.com/JuliaLang/SecurityAdvisories.jl/blob/main/advisories/published/2026/JLSEC-2026-702.md
Import Source
https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-702.json
JSON Data
https://api.osv.dev/v1/vulns/JLSEC-2026-702
Upstream
  • EUVD-2026-13137
  • GHSA-24vq-qfc5-qrmj
Published
2026-07-14T21:41:35.775Z
Modified
2026-07-14T21:50:14.675921621Z
Severity
  • 5.0 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
A heap-buffer-overflow vulnerability exists in wolfSSL's wolfSSL_d2i_SSL_SESSION() function. When...
Details

A heap-buffer-overflow vulnerability exists in wolfSSL's wolfSSLd2iSSLSESSION() function. When deserializing session data with SESSIONCERTS enabled, certificate and session id lengths are read from an untrusted input without bounds validation, allowing an attacker to overflow fixed-size buffers and corrupt heap memory. A maliciously crafted session would need to be loaded from an external source to trigger this vulnerability. Internal sessions were not vulnerable.

Database specific
{
    "sources": [
        {
            "database_specific": {
                "status": "Analyzed"
            },
            "html_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2646",
            "imported": "2026-07-14T21:22:49.039Z",
            "published": "2026-03-19T18:16:22.223Z",
            "id": "CVE-2026-2646",
            "modified": "2026-06-17T10:31:27.500Z",
            "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-2646"
        },
        {
            "modified": "2026-04-29T21:31:20Z",
            "imported": "2026-07-14T21:23:09.956Z",
            "published": "2026-03-19T18:31:19Z",
            "id": "GHSA-24vq-qfc5-qrmj",
            "url": "https://api.github.com/advisories/GHSA-24vq-qfc5-qrmj",
            "html_url": "https://github.com/advisories/GHSA-24vq-qfc5-qrmj"
        },
        {
            "modified": "2026-03-19T17:44:09Z",
            "imported": "2026-07-14T21:22:52.014Z",
            "published": "2026-03-19T17:25:42Z",
            "id": "EUVD-2026-13137",
            "url": "https://euvdservices.enisa.europa.eu/api/enisaid?id=EUVD-2026-13137",
            "html_url": "https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-13137"
        }
    ],
    "license": "CC-BY-4.0"
}
References

Affected packages

Julia / wolfSSL_jll

Package

Name
wolfSSL_jll
Purl
pkg:julia/wolfSSL_jll?uuid=98c43586-9870-5ae5-ab22-acc77b9bbdb5

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.9.2+0

Database specific

source
"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-702.json"