CVE-2024-5991: 
wolfSSL vulnerability analysis and mitigation

CVE-2024-5991 is a buffer overflow vulnerability discovered in wolfSSL versions through 5.7.0. The vulnerability exists in the MatchDomainName() function where an input parameter 'str' is treated as a NULL-terminated string without proper validation. The issue was disclosed on August 27, 2024 (NVD).

The vulnerability stems from the X509checkhost() function which accepts a pointer and length parameter but doesn't require NULL termination. When attempting to perform a name check on a non-NULL terminated buffer, the code continues reading beyond the bounds of the input array until it finds a NULL terminator. This represents an out-of-bounds read vulnerability (CWE-125). The vulnerability has received a CVSS v4.0 base score of 10.0 CRITICAL (NVD).

The vulnerability could lead to out-of-bounds memory reads, potentially exposing sensitive information from adjacent memory locations. The high CVSS score indicates significant potential impact on the confidentiality, integrity, and availability of affected systems (NVD).

A fix has been implemented through a pull request that rewrites the pattern matching functionality to use explicit lengths instead of relying on NULL-terminated strings. Users should upgrade to versions after 5.7.0 once available (GitHub PR).