Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/942915?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/942915?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.0-0.1?distro=trixie", "type": "deb", "namespace": "debian", "name": "wolfssl", "version": "5.9.0-0.1", "qualifiers": { "distro": "trixie" }, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": "5.9.1-0.1", "latest_non_vulnerable_version": "5.9.1-0.1", "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/97095?format=api", "vulnerability_id": "VCID-2ry7-trrg-gfdk", "summary": "Out-of-bounds read in ALPN parsing due to incomplete validation. wolfSSL 5.8.4 and earlier contained an out-of-bounds read in ALPN handling when built with ALPN enabled (HAVE_ALPN / --enable-alpn). A crafted ALPN protocol list could trigger an out-of-bounds read, leading to a potential process crash (denial of service). Note that ALPN is disabled by default, but is enabled for these 3rd party compatibility features: enable-apachehttpd, enable-bind, enable-curl, enable-haproxy, enable-hitch, enable-lighty, enable-jni, enable-nginx, enable-quic.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-3547", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14329", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14188", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14078", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14077", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14393", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.142", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14282", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14336", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14244", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.1557", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-3547" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3547", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3547" }, { "reference_url": "https://github.com/wolfSSL/wolfssl/pull/9859", "reference_id": "9859", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-21T03:33:12Z/" } ], "url": "https://github.com/wolfSSL/wolfssl/pull/9859" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/942915?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.0-0.1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.0-0.1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/942886?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.0-0.2?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-15fz-hhc7-kyaa" }, { "vulnerability": "VCID-24mg-wn6a-6bew" }, { "vulnerability": "VCID-3gve-u4f4-bkht" }, { "vulnerability": "VCID-4zyq-af27-yqa4" }, { "vulnerability": "VCID-75y2-h9uk-n3a6" }, { "vulnerability": "VCID-9jb1-k32z-w7gw" }, { "vulnerability": "VCID-bfap-h1d9-33dj" }, { "vulnerability": "VCID-cv4y-g4un-ckd4" }, { "vulnerability": "VCID-f5kd-yqz2-nkcb" }, { "vulnerability": "VCID-g5u9-khw6-4kgn" }, { "vulnerability": "VCID-gtdh-mytb-t3fh" }, { "vulnerability": "VCID-hdbf-118z-2yec" }, { "vulnerability": "VCID-jc3b-m4ud-n7fw" }, { "vulnerability": "VCID-jvnf-vh29-ufdh" }, { "vulnerability": "VCID-n6uz-fe7m-uqhk" }, { "vulnerability": "VCID-nqhj-d7uw-43hd" }, { "vulnerability": "VCID-srmp-3tvp-9uhv" }, { "vulnerability": "VCID-u55w-unmd-97cm" }, { "vulnerability": "VCID-udcq-enxt-wyf1" }, { "vulnerability": "VCID-ugd8-9xzt-xbdz" }, { "vulnerability": "VCID-vugd-2jfz-23b5" }, { "vulnerability": "VCID-x3uy-7crx-2kae" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.0-0.2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/1076143?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.1-0.1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.1-0.1%3Fdistro=trixie" } ], "aliases": [ "CVE-2026-3547" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2ry7-trrg-gfdk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/97098?format=api", "vulnerability_id": "VCID-4zda-zrq6-hbc8", "summary": "wolfSSL 5.8.4 on RISC-V RV32I architectures lacks a constant-time software implementation for 64-bit multiplication. The compiler-inserted __muldi3 subroutine executes in variable time based on operand values. This affects multiple SP math functions (sp_256_mul_9, sp_256_sqr_9, etc.), leading to a timing side-channel that may expose sensitive cryptographic data.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-3579", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01496", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.08687", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.08539", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.08527", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.08669", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.08589", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.08663", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.08618", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.08686", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.0865", "published_at": "2026-04-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-3579" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3579", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3579" }, { "reference_url": "https://github.com/wolfSSL/wolfssl/pull/9855", "reference_id": "9855", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T01:36:44Z/" } ], "url": "https://github.com/wolfSSL/wolfssl/pull/9855" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/942915?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.0-0.1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.0-0.1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/942886?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.0-0.2?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-15fz-hhc7-kyaa" }, { "vulnerability": "VCID-24mg-wn6a-6bew" }, { "vulnerability": "VCID-3gve-u4f4-bkht" }, { "vulnerability": "VCID-4zyq-af27-yqa4" }, { "vulnerability": "VCID-75y2-h9uk-n3a6" }, { "vulnerability": "VCID-9jb1-k32z-w7gw" }, { "vulnerability": "VCID-bfap-h1d9-33dj" }, { "vulnerability": "VCID-cv4y-g4un-ckd4" }, { "vulnerability": "VCID-f5kd-yqz2-nkcb" }, { "vulnerability": "VCID-g5u9-khw6-4kgn" }, { "vulnerability": "VCID-gtdh-mytb-t3fh" }, { "vulnerability": "VCID-hdbf-118z-2yec" }, { "vulnerability": "VCID-jc3b-m4ud-n7fw" }, { "vulnerability": "VCID-jvnf-vh29-ufdh" }, { "vulnerability": "VCID-n6uz-fe7m-uqhk" }, { "vulnerability": "VCID-nqhj-d7uw-43hd" }, { "vulnerability": "VCID-srmp-3tvp-9uhv" }, { "vulnerability": "VCID-u55w-unmd-97cm" }, { "vulnerability": "VCID-udcq-enxt-wyf1" }, { "vulnerability": "VCID-ugd8-9xzt-xbdz" }, { "vulnerability": "VCID-vugd-2jfz-23b5" }, { "vulnerability": "VCID-x3uy-7crx-2kae" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.0-0.2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/1076143?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.1-0.1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.1-0.1%3Fdistro=trixie" } ], "aliases": [ "CVE-2026-3579" ], "risk_score": 0.9, "exploitability": "0.5", "weighted_severity": "1.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4zda-zrq6-hbc8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/97034?format=api", "vulnerability_id": "VCID-6v8z-cfax-zqbh", "summary": "In wolfSSL 5.8.2 and earlier, a logic flaw existed in the TLS 1.2 server state machine implementation. The server could incorrectly accept the CertificateVerify message before the ClientKeyExchange message had been received. This issue affects wolfSSL before 5.8.4 (wolfSSL 5.8.2 and earlier is vulnerable, 5.8.4 is not vulnerable). In 5.8.4 wolfSSL would detect the issue later in the handshake. 5.9.0 was further hardened to catch the issue earlier in the handshake.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-2645", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08087", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08122", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08028", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08014", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.0813", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08081", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08143", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08165", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08157", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08138", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.09541", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-2645" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2645", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2645" }, { "reference_url": "https://github.com/wolfSSL/wolfssl/pull/9694", "reference_id": "9694", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T17:45:34Z/" } ], "url": "https://github.com/wolfSSL/wolfssl/pull/9694" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/942915?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.0-0.1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.0-0.1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/942886?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.0-0.2?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-15fz-hhc7-kyaa" }, { "vulnerability": "VCID-24mg-wn6a-6bew" }, { "vulnerability": "VCID-3gve-u4f4-bkht" }, { "vulnerability": "VCID-4zyq-af27-yqa4" }, { "vulnerability": "VCID-75y2-h9uk-n3a6" }, { "vulnerability": "VCID-9jb1-k32z-w7gw" }, { "vulnerability": "VCID-bfap-h1d9-33dj" }, { "vulnerability": "VCID-cv4y-g4un-ckd4" }, { "vulnerability": "VCID-f5kd-yqz2-nkcb" }, { "vulnerability": "VCID-g5u9-khw6-4kgn" }, { "vulnerability": "VCID-gtdh-mytb-t3fh" }, { "vulnerability": "VCID-hdbf-118z-2yec" }, { "vulnerability": "VCID-jc3b-m4ud-n7fw" }, { "vulnerability": "VCID-jvnf-vh29-ufdh" }, { "vulnerability": "VCID-n6uz-fe7m-uqhk" }, { "vulnerability": "VCID-nqhj-d7uw-43hd" }, { "vulnerability": "VCID-srmp-3tvp-9uhv" }, { "vulnerability": "VCID-u55w-unmd-97cm" }, { "vulnerability": "VCID-udcq-enxt-wyf1" }, { "vulnerability": "VCID-ugd8-9xzt-xbdz" }, { "vulnerability": "VCID-vugd-2jfz-23b5" }, { "vulnerability": "VCID-x3uy-7crx-2kae" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.0-0.2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/1076143?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.1-0.1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.1-0.1%3Fdistro=trixie" } ], "aliases": [ "CVE-2026-2645" ], "risk_score": 2.5, "exploitability": "0.5", "weighted_severity": "5.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6v8z-cfax-zqbh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/96986?format=api", "vulnerability_id": "VCID-9jpj-dfsf-qkce", "summary": "Integer underflow in wolfSSL packet sniffer <= 5.8.4 allows an attacker to cause a buffer overflow in the AEAD decryption path by injecting a TLS record shorter than the explicit IV plus authentication tag into traffic inspected by ssl_DecodePacket. The underflow wraps a 16-bit length to a large value that is passed to AEAD decryption routines, causing heap buffer overflow and a crash. An unauthenticated attacker can trigger this remotely via malformed TLS Application Data records.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-1005", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.1991", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.19906", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.19928", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00081", "scoring_system": "epss", "scoring_elements": "0.23922", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00081", "scoring_system": "epss", "scoring_elements": "0.23968", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00081", "scoring_system": "epss", "scoring_elements": "0.23985", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00081", "scoring_system": "epss", "scoring_elements": "0.23941", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00081", "scoring_system": "epss", "scoring_elements": "0.24035", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00081", "scoring_system": "epss", "scoring_elements": "0.24073", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00081", "scoring_system": "epss", "scoring_elements": "0.23856", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00098", "scoring_system": "epss", "scoring_elements": "0.26886", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-1005" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1005", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1005" }, { "reference_url": "https://github.com/wolfSSL/wolfssl/pull/9571", "reference_id": "9571", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T17:19:54Z/" } ], "url": "https://github.com/wolfSSL/wolfssl/pull/9571" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/942915?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.0-0.1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.0-0.1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/942886?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.0-0.2?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-15fz-hhc7-kyaa" }, { "vulnerability": "VCID-24mg-wn6a-6bew" }, { "vulnerability": "VCID-3gve-u4f4-bkht" }, { "vulnerability": "VCID-4zyq-af27-yqa4" }, { "vulnerability": "VCID-75y2-h9uk-n3a6" }, { "vulnerability": "VCID-9jb1-k32z-w7gw" }, { "vulnerability": "VCID-bfap-h1d9-33dj" }, { "vulnerability": "VCID-cv4y-g4un-ckd4" }, { "vulnerability": "VCID-f5kd-yqz2-nkcb" }, { "vulnerability": "VCID-g5u9-khw6-4kgn" }, { "vulnerability": "VCID-gtdh-mytb-t3fh" }, { "vulnerability": "VCID-hdbf-118z-2yec" }, { "vulnerability": "VCID-jc3b-m4ud-n7fw" }, { "vulnerability": "VCID-jvnf-vh29-ufdh" }, { "vulnerability": "VCID-n6uz-fe7m-uqhk" }, { "vulnerability": "VCID-nqhj-d7uw-43hd" }, { "vulnerability": "VCID-srmp-3tvp-9uhv" }, { "vulnerability": "VCID-u55w-unmd-97cm" }, { "vulnerability": "VCID-udcq-enxt-wyf1" }, { "vulnerability": "VCID-ugd8-9xzt-xbdz" }, { "vulnerability": "VCID-vugd-2jfz-23b5" }, { "vulnerability": "VCID-x3uy-7crx-2kae" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.0-0.2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/1076143?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.1-0.1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.1-0.1%3Fdistro=trixie" } ], "aliases": [ "CVE-2026-1005" ], "risk_score": 0.9, "exploitability": "0.5", "weighted_severity": "1.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9jpj-dfsf-qkce" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/97093?format=api", "vulnerability_id": "VCID-9jw2-3v9v-ruap", "summary": "Protection mechanism failure in wolfCrypt post-quantum implementations (ML-KEM and ML-DSA) in wolfSSL on ARM Cortex-M microcontrollers allows a physical attacker to compromise key material and/or cryptographic outcomes via induced transient faults that corrupt or redirect seed/pointer values during Keccak-based expansion. This issue affects wolfSSL (wolfCrypt): commit hash d86575c766e6e67ef93545fa69c04d6eb49400c6.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-3503", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.06492", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.0659", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.06516", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.06523", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.0653", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.0652", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.0657", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.06614", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.06607", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.06599", "published_at": "2026-04-12T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00799", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-3503" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3503", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3503" }, { "reference_url": "https://github.com/wolfSSL/wolfssl/pull/9734", "reference_id": "9734", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:P/AC:H/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N/U:Amber" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T19:24:29Z/" } ], "url": "https://github.com/wolfSSL/wolfssl/pull/9734" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/942915?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.0-0.1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.0-0.1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/942886?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.0-0.2?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-15fz-hhc7-kyaa" }, { "vulnerability": "VCID-24mg-wn6a-6bew" }, { "vulnerability": "VCID-3gve-u4f4-bkht" }, { "vulnerability": "VCID-4zyq-af27-yqa4" }, { "vulnerability": "VCID-75y2-h9uk-n3a6" }, { "vulnerability": "VCID-9jb1-k32z-w7gw" }, { "vulnerability": "VCID-bfap-h1d9-33dj" }, { "vulnerability": "VCID-cv4y-g4un-ckd4" }, { "vulnerability": "VCID-f5kd-yqz2-nkcb" }, { "vulnerability": "VCID-g5u9-khw6-4kgn" }, { "vulnerability": "VCID-gtdh-mytb-t3fh" }, { "vulnerability": "VCID-hdbf-118z-2yec" }, { "vulnerability": "VCID-jc3b-m4ud-n7fw" }, { "vulnerability": "VCID-jvnf-vh29-ufdh" }, { "vulnerability": "VCID-n6uz-fe7m-uqhk" }, { "vulnerability": "VCID-nqhj-d7uw-43hd" }, { "vulnerability": "VCID-srmp-3tvp-9uhv" }, { "vulnerability": "VCID-u55w-unmd-97cm" }, { "vulnerability": "VCID-udcq-enxt-wyf1" }, { "vulnerability": "VCID-ugd8-9xzt-xbdz" }, { "vulnerability": "VCID-vugd-2jfz-23b5" }, { "vulnerability": "VCID-x3uy-7crx-2kae" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.0-0.2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/1076143?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.1-0.1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.1-0.1%3Fdistro=trixie" } ], "aliases": [ "CVE-2026-3503" ], "risk_score": 1.9, "exploitability": "0.5", "weighted_severity": "3.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9jw2-3v9v-ruap" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/97097?format=api", "vulnerability_id": "VCID-9x14-2t7m-1kbm", "summary": "Heap Overflow in TLS 1.3 ECH parsing. An integer underflow existed in ECH extension parsing logic when calculating a buffer length, which resulted in writing beyond the bounds of an allocated buffer. Note that in wolfSSL, ECH is off by default, and the ECH standard is still evolving.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-3549", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.07306", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00067", "scoring_system": "epss", "scoring_elements": "0.20873", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00067", "scoring_system": "epss", "scoring_elements": "0.20783", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00067", "scoring_system": "epss", "scoring_elements": "0.20776", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00067", "scoring_system": "epss", "scoring_elements": "0.21017", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00067", "scoring_system": "epss", "scoring_elements": "0.20734", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00067", "scoring_system": "epss", "scoring_elements": "0.20812", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00067", "scoring_system": "epss", "scoring_elements": "0.20959", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00067", "scoring_system": "epss", "scoring_elements": "0.20889", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00067", "scoring_system": "epss", "scoring_elements": "0.20845", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00067", "scoring_system": "epss", "scoring_elements": "0.20793", "published_at": "2026-04-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-3549" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3549", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3549" }, { "reference_url": "https://github.com/wolfSSL/wolfssl/pull/9817", "reference_id": "9817", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:L/SI:L/SA:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-24T01:37:47Z/" } ], "url": "https://github.com/wolfSSL/wolfssl/pull/9817" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/942915?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.0-0.1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.0-0.1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/942886?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.0-0.2?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-15fz-hhc7-kyaa" }, { "vulnerability": "VCID-24mg-wn6a-6bew" }, { "vulnerability": "VCID-3gve-u4f4-bkht" }, { "vulnerability": "VCID-4zyq-af27-yqa4" }, { "vulnerability": "VCID-75y2-h9uk-n3a6" }, { "vulnerability": "VCID-9jb1-k32z-w7gw" }, { "vulnerability": "VCID-bfap-h1d9-33dj" }, { "vulnerability": "VCID-cv4y-g4un-ckd4" }, { "vulnerability": "VCID-f5kd-yqz2-nkcb" }, { "vulnerability": "VCID-g5u9-khw6-4kgn" }, { "vulnerability": "VCID-gtdh-mytb-t3fh" }, { "vulnerability": "VCID-hdbf-118z-2yec" }, { "vulnerability": "VCID-jc3b-m4ud-n7fw" }, { "vulnerability": "VCID-jvnf-vh29-ufdh" }, { "vulnerability": "VCID-n6uz-fe7m-uqhk" }, { "vulnerability": "VCID-nqhj-d7uw-43hd" }, { "vulnerability": "VCID-srmp-3tvp-9uhv" }, { "vulnerability": "VCID-u55w-unmd-97cm" }, { "vulnerability": "VCID-udcq-enxt-wyf1" }, { "vulnerability": "VCID-ugd8-9xzt-xbdz" }, { "vulnerability": "VCID-vugd-2jfz-23b5" }, { "vulnerability": "VCID-x3uy-7crx-2kae" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.0-0.2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/1076143?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.1-0.1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.1-0.1%3Fdistro=trixie" } ], "aliases": [ "CVE-2026-3549" ], "risk_score": 3.8, "exploitability": "0.5", "weighted_severity": "7.5", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9x14-2t7m-1kbm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/97112?format=api", "vulnerability_id": "VCID-f57c-kamk-3bct", "summary": "1-byte OOB heap read in wc_PKCS7_DecodeEnvelopedData via zero-length encrypted content. A vulnerability existed in wolfSSL 5.8.4 and earlier, where a 1-byte out-of-bounds heap read in wc_PKCS7_DecodeEnvelopedData could be triggered by a crafted CMS EnvelopedData message with zero-length encrypted content. Note that PKCS7 support is disabled by default.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-4159", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.04883", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.04924", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.04873", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.0488", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.04908", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.04927", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.04963", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.04979", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.04961", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.04942", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05606", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-4159" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4159", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4159" }, { "reference_url": "https://github.com/wolfSSL/wolfssl/pull/9945", "reference_id": "9945", "reference_type": "", "scores": [ { "value": "1.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Green" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T16:28:57Z/" } ], "url": "https://github.com/wolfSSL/wolfssl/pull/9945" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/942915?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.0-0.1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.0-0.1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/942886?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.0-0.2?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-15fz-hhc7-kyaa" }, { "vulnerability": "VCID-24mg-wn6a-6bew" }, { "vulnerability": "VCID-3gve-u4f4-bkht" }, { "vulnerability": "VCID-4zyq-af27-yqa4" }, { "vulnerability": "VCID-75y2-h9uk-n3a6" }, { "vulnerability": "VCID-9jb1-k32z-w7gw" }, { "vulnerability": "VCID-bfap-h1d9-33dj" }, { "vulnerability": "VCID-cv4y-g4un-ckd4" }, { "vulnerability": "VCID-f5kd-yqz2-nkcb" }, { "vulnerability": "VCID-g5u9-khw6-4kgn" }, { "vulnerability": "VCID-gtdh-mytb-t3fh" }, { "vulnerability": "VCID-hdbf-118z-2yec" }, { "vulnerability": "VCID-jc3b-m4ud-n7fw" }, { "vulnerability": "VCID-jvnf-vh29-ufdh" }, { "vulnerability": "VCID-n6uz-fe7m-uqhk" }, { "vulnerability": "VCID-nqhj-d7uw-43hd" }, { "vulnerability": "VCID-srmp-3tvp-9uhv" }, { "vulnerability": "VCID-u55w-unmd-97cm" }, { "vulnerability": "VCID-udcq-enxt-wyf1" }, { "vulnerability": "VCID-ugd8-9xzt-xbdz" }, { "vulnerability": "VCID-vugd-2jfz-23b5" }, { "vulnerability": "VCID-x3uy-7crx-2kae" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.0-0.2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/1076143?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.1-0.1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.1-0.1%3Fdistro=trixie" } ], "aliases": [ "CVE-2026-4159" ], "risk_score": 0.6, "exploitability": "0.5", "weighted_severity": "1.1", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-f57c-kamk-3bct" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/97096?format=api", "vulnerability_id": "VCID-fmtp-x6y7-83g1", "summary": "Two buffer overflow vulnerabilities existed in the wolfSSL CRL parser when parsing CRL numbers: a heap-based buffer overflow could occur when improperly storing the CRL number as a hexadecimal string, and a stack-based overflow for sufficiently sized CRL numbers. With appropriately crafted CRLs, either of these out of bound writes could be triggered. Note this only affects builds that specifically enable CRL support, and the user would need to load a CRL from an untrusted source.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-3548", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05441", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05537", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05511", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05498", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05491", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.0545", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05475", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05479", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05516", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06125", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-3548" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3548", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3548" }, { "reference_url": "https://github.com/wolfSSL/wolfssl/pull/9628/", "reference_id": "9628", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-19T18:00:17Z/" } ], "url": "https://github.com/wolfSSL/wolfssl/pull/9628/" }, { "reference_url": "https://github.com/wolfSSL/wolfssl/pull/9873/", "reference_id": "9873", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-19T18:00:17Z/" } ], "url": "https://github.com/wolfSSL/wolfssl/pull/9873/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/942915?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.0-0.1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.0-0.1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/942886?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.0-0.2?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-15fz-hhc7-kyaa" }, { "vulnerability": "VCID-24mg-wn6a-6bew" }, { "vulnerability": "VCID-3gve-u4f4-bkht" }, { "vulnerability": "VCID-4zyq-af27-yqa4" }, { "vulnerability": "VCID-75y2-h9uk-n3a6" }, { "vulnerability": "VCID-9jb1-k32z-w7gw" }, { "vulnerability": "VCID-bfap-h1d9-33dj" }, { "vulnerability": "VCID-cv4y-g4un-ckd4" }, { "vulnerability": "VCID-f5kd-yqz2-nkcb" }, { "vulnerability": "VCID-g5u9-khw6-4kgn" }, { "vulnerability": "VCID-gtdh-mytb-t3fh" }, { "vulnerability": "VCID-hdbf-118z-2yec" }, { "vulnerability": "VCID-jc3b-m4ud-n7fw" }, { "vulnerability": "VCID-jvnf-vh29-ufdh" }, { "vulnerability": "VCID-n6uz-fe7m-uqhk" }, { "vulnerability": "VCID-nqhj-d7uw-43hd" }, { "vulnerability": "VCID-srmp-3tvp-9uhv" }, { "vulnerability": "VCID-u55w-unmd-97cm" }, { "vulnerability": "VCID-udcq-enxt-wyf1" }, { "vulnerability": "VCID-ugd8-9xzt-xbdz" }, { "vulnerability": "VCID-vugd-2jfz-23b5" }, { "vulnerability": "VCID-x3uy-7crx-2kae" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.0-0.2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/1076143?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.1-0.1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.1-0.1%3Fdistro=trixie" } ], "aliases": [ "CVE-2026-3548" ], "risk_score": 3.2, "exploitability": "0.5", "weighted_severity": "6.5", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fmtp-x6y7-83g1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/97101?format=api", "vulnerability_id": "VCID-gmdj-a1ys-tqc2", "summary": "Stack Buffer Overflow in wc_HpkeLabeledExtract via Oversized ECH Config. A vulnerability existed in wolfSSL 5.8.4 ECH (Encrypted Client Hello) support, where a maliciously crafted ECH config could cause a stack buffer overflow on the client side, leading to potential remote execution and client program crash. This could be exploited by a malicious TLS server supporting ECH. Note that ECH is off by default, and is only enabled with enable-ech.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-3849", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00199", "scoring_system": "epss", "scoring_elements": "0.41985", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00199", "scoring_system": "epss", "scoring_elements": "0.4197", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00199", "scoring_system": "epss", "scoring_elements": "0.42019", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00199", "scoring_system": "epss", "scoring_elements": "0.41993", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00199", "scoring_system": "epss", "scoring_elements": "0.42012", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00199", "scoring_system": "epss", "scoring_elements": "0.41938", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00199", "scoring_system": "epss", "scoring_elements": "0.41989", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00199", "scoring_system": "epss", "scoring_elements": "0.42", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00199", "scoring_system": "epss", "scoring_elements": "0.42022", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00199", "scoring_system": "epss", "scoring_elements": "0.41984", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00217", "scoring_system": "epss", "scoring_elements": "0.44233", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-3849" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3849", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3849" }, { "reference_url": "https://github.com/wolfSSL/wolfssl/pull/9737", "reference_id": "9737", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/V:D/RE:M/U:Amber" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T14:21:05Z/" } ], "url": "https://github.com/wolfSSL/wolfssl/pull/9737" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/942915?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.0-0.1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.0-0.1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/942886?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.0-0.2?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-15fz-hhc7-kyaa" }, { "vulnerability": "VCID-24mg-wn6a-6bew" }, { "vulnerability": "VCID-3gve-u4f4-bkht" }, { "vulnerability": "VCID-4zyq-af27-yqa4" }, { "vulnerability": "VCID-75y2-h9uk-n3a6" }, { "vulnerability": "VCID-9jb1-k32z-w7gw" }, { "vulnerability": "VCID-bfap-h1d9-33dj" }, { "vulnerability": "VCID-cv4y-g4un-ckd4" }, { "vulnerability": "VCID-f5kd-yqz2-nkcb" }, { "vulnerability": "VCID-g5u9-khw6-4kgn" }, { "vulnerability": "VCID-gtdh-mytb-t3fh" }, { "vulnerability": "VCID-hdbf-118z-2yec" }, { "vulnerability": "VCID-jc3b-m4ud-n7fw" }, { "vulnerability": "VCID-jvnf-vh29-ufdh" }, { "vulnerability": "VCID-n6uz-fe7m-uqhk" }, { "vulnerability": "VCID-nqhj-d7uw-43hd" }, { "vulnerability": "VCID-srmp-3tvp-9uhv" }, { "vulnerability": "VCID-u55w-unmd-97cm" }, { "vulnerability": "VCID-udcq-enxt-wyf1" }, { "vulnerability": "VCID-ugd8-9xzt-xbdz" }, { "vulnerability": "VCID-vugd-2jfz-23b5" }, { "vulnerability": "VCID-x3uy-7crx-2kae" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.0-0.2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/1076143?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.1-0.1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.1-0.1%3Fdistro=trixie" } ], "aliases": [ "CVE-2026-3849" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gmdj-a1ys-tqc2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/96982?format=api", "vulnerability_id": "VCID-h6na-nxxq-5yg9", "summary": "A stack buffer overflow vulnerability exists in wolfSSL's PKCS7 SignedData encoding functionality. In wc_PKCS7_BuildSignedAttributes(), when adding custom signed attributes, the code passes an incorrect capacity value (esd->signedAttribsCount) to EncodeAttributes() instead of the remaining available space in the fixed-size signedAttribs[7] array. When an application sets pkcs7->signedAttribsSz to a value greater than MAX_SIGNED_ATTRIBS_SZ (default 7) minus the number of default attributes already added, EncodeAttributes() writes beyond the array bounds, causing stack memory corruption. In WOLFSSL_SMALL_STACK builds, this becomes heap corruption. Exploitation requires an application that allows untrusted input to control the signedAttribs array size when calling wc_PKCS7_EncodeSignedData() or related signing functions.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-0819", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.05879", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.05944", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.05908", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.05919", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.05912", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.05904", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.05942", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.05981", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.05962", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.05953", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.06602", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-0819" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0819", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0819" }, { "reference_url": "https://github.com/wolfSSL/wolfssl/pull/9630", "reference_id": "9630", "reference_type": "", "scores": [ { "value": "2.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-19T17:19:26Z/" } ], "url": "https://github.com/wolfSSL/wolfssl/pull/9630" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/942915?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.0-0.1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.0-0.1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/942886?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.0-0.2?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-15fz-hhc7-kyaa" }, { "vulnerability": "VCID-24mg-wn6a-6bew" }, { "vulnerability": "VCID-3gve-u4f4-bkht" }, { "vulnerability": "VCID-4zyq-af27-yqa4" }, { "vulnerability": "VCID-75y2-h9uk-n3a6" }, { "vulnerability": "VCID-9jb1-k32z-w7gw" }, { "vulnerability": "VCID-bfap-h1d9-33dj" }, { "vulnerability": "VCID-cv4y-g4un-ckd4" }, { "vulnerability": "VCID-f5kd-yqz2-nkcb" }, { "vulnerability": "VCID-g5u9-khw6-4kgn" }, { "vulnerability": "VCID-gtdh-mytb-t3fh" }, { "vulnerability": "VCID-hdbf-118z-2yec" }, { "vulnerability": "VCID-jc3b-m4ud-n7fw" }, { "vulnerability": "VCID-jvnf-vh29-ufdh" }, { "vulnerability": "VCID-n6uz-fe7m-uqhk" }, { "vulnerability": "VCID-nqhj-d7uw-43hd" }, { "vulnerability": "VCID-srmp-3tvp-9uhv" }, { "vulnerability": "VCID-u55w-unmd-97cm" }, { "vulnerability": "VCID-udcq-enxt-wyf1" }, { "vulnerability": "VCID-ugd8-9xzt-xbdz" }, { "vulnerability": "VCID-vugd-2jfz-23b5" }, { "vulnerability": "VCID-x3uy-7crx-2kae" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.0-0.2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/1076143?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.1-0.1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.1-0.1%3Fdistro=trixie" } ], "aliases": [ "CVE-2026-0819" ], "risk_score": 1.0, "exploitability": "0.5", "weighted_severity": "2.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-h6na-nxxq-5yg9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/97114?format=api", "vulnerability_id": "VCID-jxf4-y1au-5bhw", "summary": "Heap-based buffer overflow in the KCAPI ECC code path of wc_ecc_import_x963_ex() in wolfSSL wolfcrypt allows a remote attacker to write attacker-controlled data past the bounds of the pubkey_raw buffer via a crafted oversized EC public key point. The WOLFSSL_KCAPI_ECC code path copies the input to key->pubkey_raw (132 bytes) using XMEMCPY without a bounds check, unlike the ATECC code path which includes a length validation. This can be triggered during TLS key exchange when a malicious peer sends a crafted ECPoint in ServerKeyExchange.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-4395", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00126", "scoring_system": "epss", "scoring_elements": "0.32057", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00126", "scoring_system": "epss", "scoring_elements": "0.31928", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00126", "scoring_system": "epss", "scoring_elements": "0.31961", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00126", "scoring_system": "epss", "scoring_elements": "0.31939", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00126", "scoring_system": "epss", "scoring_elements": "0.32097", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00126", "scoring_system": "epss", "scoring_elements": "0.31919", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00126", "scoring_system": "epss", "scoring_elements": "0.31971", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00126", "scoring_system": "epss", "scoring_elements": "0.32", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00126", "scoring_system": "epss", "scoring_elements": "0.32003", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00126", "scoring_system": "epss", "scoring_elements": "0.31962", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00138", "scoring_system": "epss", "scoring_elements": "0.33779", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-4395" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4395", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4395" }, { "reference_url": "https://github.com/wolfSSL/wolfssl/pull/9988", "reference_id": "9988", "reference_type": "", "scores": [ { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/AU:Y/R:U/V:D/RE:L/U:Amber" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:09:25Z/" } ], "url": "https://github.com/wolfSSL/wolfssl/pull/9988" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/942915?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.0-0.1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.0-0.1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/942886?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.0-0.2?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-15fz-hhc7-kyaa" }, { "vulnerability": "VCID-24mg-wn6a-6bew" }, { "vulnerability": "VCID-3gve-u4f4-bkht" }, { "vulnerability": "VCID-4zyq-af27-yqa4" }, { "vulnerability": "VCID-75y2-h9uk-n3a6" }, { "vulnerability": "VCID-9jb1-k32z-w7gw" }, { "vulnerability": "VCID-bfap-h1d9-33dj" }, { "vulnerability": "VCID-cv4y-g4un-ckd4" }, { "vulnerability": "VCID-f5kd-yqz2-nkcb" }, { "vulnerability": "VCID-g5u9-khw6-4kgn" }, { "vulnerability": "VCID-gtdh-mytb-t3fh" }, { "vulnerability": "VCID-hdbf-118z-2yec" }, { "vulnerability": "VCID-jc3b-m4ud-n7fw" }, { "vulnerability": "VCID-jvnf-vh29-ufdh" }, { "vulnerability": "VCID-n6uz-fe7m-uqhk" }, { "vulnerability": "VCID-nqhj-d7uw-43hd" }, { "vulnerability": "VCID-srmp-3tvp-9uhv" }, { "vulnerability": "VCID-u55w-unmd-97cm" }, { "vulnerability": "VCID-udcq-enxt-wyf1" }, { "vulnerability": "VCID-ugd8-9xzt-xbdz" }, { "vulnerability": "VCID-vugd-2jfz-23b5" }, { "vulnerability": "VCID-x3uy-7crx-2kae" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.0-0.2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/1076143?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.1-0.1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.1-0.1%3Fdistro=trixie" } ], "aliases": [ "CVE-2026-4395" ], "risk_score": 0.6, "exploitability": "0.5", "weighted_severity": "1.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jxf4-y1au-5bhw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/97099?format=api", "vulnerability_id": "VCID-n64w-nq6a-m7bv", "summary": "In wolfSSL 5.8.4, constant-time masking logic in sp_256_get_entry_256_9 is optimized into conditional branches (bnez) by GCC when targeting RISC-V RV32I with -O3. This transformation breaks the side-channel resistance of ECC scalar multiplication, potentially allowing a local attacker to recover secret keys via timing analysis.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-3580", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02074", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02053", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02029", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02043", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.0208", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02075", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02077", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02094", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02072", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02057", "published_at": "2026-04-12T12:55:00Z" }, { "value": "5e-05", "scoring_system": "epss", "scoring_elements": "0.00288", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-3580" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3580", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3580" }, { "reference_url": "https://github.com/wolfSSL/wolfssl/pull/9855", "reference_id": "9855", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T20:25:11Z/" } ], "url": "https://github.com/wolfSSL/wolfssl/pull/9855" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/942915?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.0-0.1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.0-0.1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/942886?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.0-0.2?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-15fz-hhc7-kyaa" }, { "vulnerability": "VCID-24mg-wn6a-6bew" }, { "vulnerability": "VCID-3gve-u4f4-bkht" }, { "vulnerability": "VCID-4zyq-af27-yqa4" }, { "vulnerability": "VCID-75y2-h9uk-n3a6" }, { "vulnerability": "VCID-9jb1-k32z-w7gw" }, { "vulnerability": "VCID-bfap-h1d9-33dj" }, { "vulnerability": "VCID-cv4y-g4un-ckd4" }, { "vulnerability": "VCID-f5kd-yqz2-nkcb" }, { "vulnerability": "VCID-g5u9-khw6-4kgn" }, { "vulnerability": "VCID-gtdh-mytb-t3fh" }, { "vulnerability": "VCID-hdbf-118z-2yec" }, { "vulnerability": "VCID-jc3b-m4ud-n7fw" }, { "vulnerability": "VCID-jvnf-vh29-ufdh" }, { "vulnerability": "VCID-n6uz-fe7m-uqhk" }, { "vulnerability": "VCID-nqhj-d7uw-43hd" }, { "vulnerability": "VCID-srmp-3tvp-9uhv" }, { "vulnerability": "VCID-u55w-unmd-97cm" }, { "vulnerability": "VCID-udcq-enxt-wyf1" }, { "vulnerability": "VCID-ugd8-9xzt-xbdz" }, { "vulnerability": "VCID-vugd-2jfz-23b5" }, { "vulnerability": "VCID-x3uy-7crx-2kae" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.0-0.2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/1076143?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.1-0.1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.1-0.1%3Fdistro=trixie" } ], "aliases": [ "CVE-2026-3580" ], "risk_score": 0.9, "exploitability": "0.5", "weighted_severity": "1.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-n64w-nq6a-m7bv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/97068?format=api", "vulnerability_id": "VCID-uvht-9bt9-hfbb", "summary": "Missing required cryptographic step in the TLS 1.3 client HelloRetryRequest handshake logic in wolfSSL could lead to a compromise in the confidentiality of TLS-protected communications via a crafted HelloRetryRequest followed by a ServerHello message that omits the required key_share extension, resulting in derivation of predictable traffic secrets from (EC)DHE shared secret. This issue does not affect the client's authentication of the server during TLS handshakes.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-3230", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00061", "scoring_system": "epss", "scoring_elements": "0.1932", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00061", "scoring_system": "epss", "scoring_elements": "0.19372", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00061", "scoring_system": "epss", "scoring_elements": "0.19088", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00061", "scoring_system": "epss", "scoring_elements": "0.19168", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00061", "scoring_system": "epss", "scoring_elements": "0.19221", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00061", "scoring_system": "epss", "scoring_elements": "0.19227", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00061", "scoring_system": "epss", "scoring_elements": "0.1918", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00065", "scoring_system": "epss", "scoring_elements": "0.20023", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00065", "scoring_system": "epss", "scoring_elements": "0.20036", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00065", "scoring_system": "epss", "scoring_elements": "0.20018", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.0007", "scoring_system": "epss", "scoring_elements": "0.215", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-3230" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3230", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3230" }, { "reference_url": "https://github.com/wolfSSL/wolfssl/pull/9754", "reference_id": "9754", "reference_type": "", "scores": [ { "value": "1.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/AU:Y/R:A/V:D/U:Clear" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:08:54Z/" } ], "url": "https://github.com/wolfSSL/wolfssl/pull/9754" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/942915?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.0-0.1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.0-0.1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/942886?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.0-0.2?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-15fz-hhc7-kyaa" }, { "vulnerability": "VCID-24mg-wn6a-6bew" }, { "vulnerability": "VCID-3gve-u4f4-bkht" }, { "vulnerability": "VCID-4zyq-af27-yqa4" }, { "vulnerability": "VCID-75y2-h9uk-n3a6" }, { "vulnerability": "VCID-9jb1-k32z-w7gw" }, { "vulnerability": "VCID-bfap-h1d9-33dj" }, { "vulnerability": "VCID-cv4y-g4un-ckd4" }, { "vulnerability": "VCID-f5kd-yqz2-nkcb" }, { "vulnerability": "VCID-g5u9-khw6-4kgn" }, { "vulnerability": "VCID-gtdh-mytb-t3fh" }, { "vulnerability": "VCID-hdbf-118z-2yec" }, { "vulnerability": "VCID-jc3b-m4ud-n7fw" }, { "vulnerability": "VCID-jvnf-vh29-ufdh" }, { "vulnerability": "VCID-n6uz-fe7m-uqhk" }, { "vulnerability": "VCID-nqhj-d7uw-43hd" }, { "vulnerability": "VCID-srmp-3tvp-9uhv" }, { "vulnerability": "VCID-u55w-unmd-97cm" }, { "vulnerability": "VCID-udcq-enxt-wyf1" }, { "vulnerability": "VCID-ugd8-9xzt-xbdz" }, { "vulnerability": "VCID-vugd-2jfz-23b5" }, { "vulnerability": "VCID-x3uy-7crx-2kae" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.0-0.2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/1076143?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.1-0.1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.1-0.1%3Fdistro=trixie" } ], "aliases": [ "CVE-2026-3230" ], "risk_score": 0.6, "exploitability": "0.5", "weighted_severity": "1.1", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-uvht-9bt9-hfbb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/97067?format=api", "vulnerability_id": "VCID-v3m6-zajw-bfhb", "summary": "An integer overflow vulnerability existed in the static function wolfssl_add_to_chain, that caused heap corruption when certificate data was written out of bounds of an insufficiently sized certificate buffer. wolfssl_add_to_chain is called by these API: wolfSSL_CTX_add_extra_chain_cert, wolfSSL_CTX_add1_chain_cert, wolfSSL_add0_chain_cert. These API are enabled for 3rd party compatibility features: enable-opensslall, enable-opensslextra, enable-lighty, enable-stunnel, enable-nginx, enable-haproxy. This issue is not remotely exploitable, and would require that the application context loading certificates is compromised.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-3229", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02087", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02064", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02039", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02052", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02094", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02088", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02089", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02107", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02084", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02069", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03049", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-3229" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3229", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3229" }, { "reference_url": "https://github.com/wolfSSL/wolfssl/pull/9827", "reference_id": "9827", "reference_type": "", "scores": [ { "value": "1.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/U:Green" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T16:29:39Z/" } ], "url": "https://github.com/wolfSSL/wolfssl/pull/9827" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/942915?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.0-0.1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.0-0.1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/942886?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.0-0.2?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-15fz-hhc7-kyaa" }, { "vulnerability": "VCID-24mg-wn6a-6bew" }, { "vulnerability": "VCID-3gve-u4f4-bkht" }, { "vulnerability": "VCID-4zyq-af27-yqa4" }, { "vulnerability": "VCID-75y2-h9uk-n3a6" }, { "vulnerability": "VCID-9jb1-k32z-w7gw" }, { "vulnerability": "VCID-bfap-h1d9-33dj" }, { "vulnerability": "VCID-cv4y-g4un-ckd4" }, { "vulnerability": "VCID-f5kd-yqz2-nkcb" }, { "vulnerability": "VCID-g5u9-khw6-4kgn" }, { "vulnerability": "VCID-gtdh-mytb-t3fh" }, { "vulnerability": "VCID-hdbf-118z-2yec" }, { "vulnerability": "VCID-jc3b-m4ud-n7fw" }, { "vulnerability": "VCID-jvnf-vh29-ufdh" }, { "vulnerability": "VCID-n6uz-fe7m-uqhk" }, { "vulnerability": "VCID-nqhj-d7uw-43hd" }, { "vulnerability": "VCID-srmp-3tvp-9uhv" }, { "vulnerability": "VCID-u55w-unmd-97cm" }, { "vulnerability": "VCID-udcq-enxt-wyf1" }, { "vulnerability": "VCID-ugd8-9xzt-xbdz" }, { "vulnerability": "VCID-vugd-2jfz-23b5" }, { "vulnerability": "VCID-x3uy-7crx-2kae" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.0-0.2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/1076143?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.1-0.1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.1-0.1%3Fdistro=trixie" } ], "aliases": [ "CVE-2026-3229" ], "risk_score": 0.6, "exploitability": "0.5", "weighted_severity": "1.1", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-v3m6-zajw-bfhb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/97035?format=api", "vulnerability_id": "VCID-xuyn-pjpb-g7du", "summary": "A heap-buffer-overflow vulnerability exists in wolfSSL's wolfSSL_d2i_SSL_SESSION() function. When deserializing session data with SESSION_CERTS enabled, certificate and session id lengths are read from an untrusted input without bounds validation, allowing an attacker to overflow fixed-size buffers and corrupt heap memory. A maliciously crafted session would need to be loaded from an external source to trigger this vulnerability. Internal sessions were not vulnerable.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-2646", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02167", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02166", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02151", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02148", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02123", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02135", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02172", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02168", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02189", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03195", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-2646" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2646", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2646" }, { "reference_url": "https://github.com/wolfSSL/wolfssl/pull/9748", "reference_id": "9748", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T17:43:50Z/" } ], "url": "https://github.com/wolfSSL/wolfssl/pull/9748" }, { "reference_url": "https://github.com/wolfSSL/wolfssl/pull/9949", "reference_id": "9949", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T17:43:50Z/" } ], "url": "https://github.com/wolfSSL/wolfssl/pull/9949" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/942915?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.0-0.1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.0-0.1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/942886?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.0-0.2?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-15fz-hhc7-kyaa" }, { "vulnerability": "VCID-24mg-wn6a-6bew" }, { "vulnerability": "VCID-3gve-u4f4-bkht" }, { "vulnerability": "VCID-4zyq-af27-yqa4" }, { "vulnerability": "VCID-75y2-h9uk-n3a6" }, { "vulnerability": "VCID-9jb1-k32z-w7gw" }, { "vulnerability": "VCID-bfap-h1d9-33dj" }, { "vulnerability": "VCID-cv4y-g4un-ckd4" }, { "vulnerability": "VCID-f5kd-yqz2-nkcb" }, { "vulnerability": "VCID-g5u9-khw6-4kgn" }, { "vulnerability": "VCID-gtdh-mytb-t3fh" }, { "vulnerability": "VCID-hdbf-118z-2yec" }, { "vulnerability": "VCID-jc3b-m4ud-n7fw" }, { "vulnerability": "VCID-jvnf-vh29-ufdh" }, { "vulnerability": "VCID-n6uz-fe7m-uqhk" }, { "vulnerability": "VCID-nqhj-d7uw-43hd" }, { "vulnerability": "VCID-srmp-3tvp-9uhv" }, { "vulnerability": "VCID-u55w-unmd-97cm" }, { "vulnerability": "VCID-udcq-enxt-wyf1" }, { "vulnerability": "VCID-ugd8-9xzt-xbdz" }, { "vulnerability": "VCID-vugd-2jfz-23b5" }, { "vulnerability": "VCID-x3uy-7crx-2kae" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.0-0.2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/1076143?format=api", "purl": "pkg:deb/debian/wolfssl@5.9.1-0.1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.1-0.1%3Fdistro=trixie" } ], "aliases": [ "CVE-2026-2646" ], "risk_score": 2.2, "exploitability": "0.5", "weighted_severity": "4.5", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xuyn-pjpb-g7du" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/wolfssl@5.9.0-0.1%3Fdistro=trixie" }