🟠 High  |  Source: Microsoft Security Response Center


CVE-2026-7532 is a vulnerability in the wolfSSL cryptographic library where IP address-based name constraints in X.509 certificates are not enforced when the WOLFSSL_IP_ALT_NAME compile-time flag is undefined. This means an attacker could potentially use a certificate issued under a constrained CA to authenticate as an IP address that should have been prohibited, bypassing intended access restrictions. The issue affects any workload — including Azure-hosted services — that relies on wolfSSL for TLS certificate validation with IP-based name constraints.

Security Architect’s Take: Audit any Azure workloads or container images that use wolfSSL as their TLS library and confirm whether WOLFSSL_IP_ALT_NAME is defined at build time; if not, patch to a remediated version of wolfSSL immediately and review whether certificates with IP SANs are used in mTLS or zero-trust enforcement paths.

Original advisory: CVE-2026-7532 iPAddress name constraints not enforced when WOLFSSL_IP_ALT_NAME is undefined