VulnerableCode Package Details - pkg:deb/debian/wolfssl@0?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-17td-zhva-7fc1	A certificate verification error in wolfSSL when building with the WOLFSSL_SYS_CA_CERTS and WOLFSSL_APPLE_NATIVE_CERT_VALIDATION options results in the wolfSSL client failing to properly verify the server certificate's domain name, allowing any certificate issued by a trusted CA to be accepted regardless of the hostname.	CVE-2025-7395
VCID-1uk4-yg8u-kyck	security update	CVE-2014-6491
VCID-56vb-qqan-6fcd	security update	CVE-2014-6496
VCID-73c6-zn7h-6ude	In wolfSSL release 5.8.2 blinding support is turned on by default for Curve25519 in applicable builds. The blinding configure option is only for the base C implementation of Curve25519. It is not needed, or available with; ARM assembly builds, Intel assembly builds, and the small Curve25519 feature. While the side-channel attack on extracting a private key would be very difficult to execute in practice, enabling blinding provides an additional layer of protection for devices that may be more susceptible to physical access or side-channel observation.	CVE-2025-7396
VCID-dusy-ap5e-kyea	security update	CVE-2014-6494
VCID-f72k-wxht-zka6	security update	CVE-2014-6478
VCID-k32r-azxg-9yh3	An issue was discovered in wolfSSL before 5.5.0 (when --enable-session-ticket is used); however, only version 5.3.0 is exploitable. Man-in-the-middle attackers or a malicious server can crash TLS 1.2 clients during a handshake. If an attacker injects a large ticket (more than 256 bytes) into a NewSessionTicket message in a TLS 1.2 handshake, and the client has a non-empty session cache, the session cache frees a pointer that points to unallocated memory, causing the client to crash with a "free(): invalid pointer" message. NOTE: It is likely that this is also exploitable during TLS 1.3 handshakes between a client and a malicious server. With TLS 1.3, it is not possible to exploit this as a man-in-the-middle.	CVE-2022-38153
VCID-pq7n-tyq2-xucr	security update	CVE-2014-6495
VCID-rtzg-kdyv-kyfk	security update	CVE-2014-6500
VCID-ykdv-43ha-muhg	Use of Insufficiently Random Values wolfSSL uses non-random IV values in certain situations. This affects connections (without AEAD) using AES-CBC or DES3 with TLS or DTLS This occurs because of misplaced memory initialization in BuildMessage in internal.c.	CVE-2022-23408

Vulnerability

Summary

Aliases

VCID-17td-zhva-7fc1

A certificate verification error in wolfSSL when building with the WOLFSSL_SYS_CA_CERTS and WOLFSSL_APPLE_NATIVE_CERT_VALIDATION options results in the wolfSSL client failing to properly verify the server certificate's domain name, allowing any certificate issued by a trusted CA to be accepted regardless of the hostname.

CVE-2025-7395

VCID-1uk4-yg8u-kyck

security update

CVE-2014-6491

VCID-56vb-qqan-6fcd

security update

CVE-2014-6496

VCID-73c6-zn7h-6ude

In wolfSSL release 5.8.2 blinding support is turned on by default for Curve25519 in applicable builds. The blinding configure option is only for the base C implementation of Curve25519. It is not needed, or available with; ARM assembly builds, Intel assembly builds, and the small Curve25519 feature. While the side-channel attack on extracting a private key would be very difficult to execute in practice, enabling blinding provides an additional layer of protection for devices that may be more susceptible to physical access or side-channel observation.

CVE-2025-7396

VCID-dusy-ap5e-kyea

security update

CVE-2014-6494

VCID-f72k-wxht-zka6

security update

CVE-2014-6478

VCID-k32r-azxg-9yh3

An issue was discovered in wolfSSL before 5.5.0 (when --enable-session-ticket is used); however, only version 5.3.0 is exploitable. Man-in-the-middle attackers or a malicious server can crash TLS 1.2 clients during a handshake. If an attacker injects a large ticket (more than 256 bytes) into a NewSessionTicket message in a TLS 1.2 handshake, and the client has a non-empty session cache, the session cache frees a pointer that points to unallocated memory, causing the client to crash with a "free(): invalid pointer" message. NOTE: It is likely that this is also exploitable during TLS 1.3 handshakes between a client and a malicious server. With TLS 1.3, it is not possible to exploit this as a man-in-the-middle.

CVE-2022-38153

VCID-pq7n-tyq2-xucr

security update

CVE-2014-6495

VCID-rtzg-kdyv-kyfk

security update

CVE-2014-6500

VCID-ykdv-43ha-muhg

Use of Insufficiently Random Values wolfSSL uses non-random IV values in certain situations. This affects connections (without AEAD) using AES-CBC or DES3 with TLS or DTLS This occurs because of misplaced memory initialization in BuildMessage in internal.c.

CVE-2022-23408

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T13:16:12.481749+00:00	Debian Importer	Fixing	VCID-73c6-zn7h-6ude	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T13:08:35.934089+00:00	Debian Importer	Fixing	VCID-1uk4-yg8u-kyck	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T12:14:33.246519+00:00	Debian Importer	Fixing	VCID-pq7n-tyq2-xucr	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T11:48:57.655671+00:00	Debian Importer	Fixing	VCID-ykdv-43ha-muhg	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T11:15:41.271456+00:00	Debian Importer	Fixing	VCID-56vb-qqan-6fcd	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T10:19:43.624099+00:00	Debian Importer	Fixing	VCID-k32r-azxg-9yh3	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:18:50.860486+00:00	Debian Importer	Fixing	VCID-f72k-wxht-zka6	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:14:43.507164+00:00	Debian Importer	Fixing	VCID-dusy-ap5e-kyea	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:13:40.833406+00:00	Debian Importer	Fixing	VCID-rtzg-kdyv-kyfk	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T08:59:21.117009+00:00	Debian Importer	Fixing	VCID-17td-zhva-7fc1	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T09:08:18.557671+00:00	Debian Importer	Fixing	VCID-73c6-zn7h-6ude	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T09:02:27.001128+00:00	Debian Importer	Fixing	VCID-1uk4-yg8u-kyck	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T08:22:26.866253+00:00	Debian Importer	Fixing	VCID-pq7n-tyq2-xucr	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T08:03:41.631174+00:00	Debian Importer	Fixing	VCID-ykdv-43ha-muhg	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T07:39:33.838409+00:00	Debian Importer	Fixing	VCID-56vb-qqan-6fcd	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T06:57:12.830758+00:00	Debian Importer	Fixing	VCID-k32r-azxg-9yh3	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:13:23.103121+00:00	Debian Importer	Fixing	VCID-f72k-wxht-zka6	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:10:57.021116+00:00	Debian Importer	Fixing	VCID-dusy-ap5e-kyea	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:10:20.639848+00:00	Debian Importer	Fixing	VCID-rtzg-kdyv-kyfk	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:01:42.274336+00:00	Debian Importer	Fixing	VCID-17td-zhva-7fc1	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:57:44.680819+00:00	Debian Importer	Fixing	VCID-73c6-zn7h-6ude	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:57:44.639660+00:00	Debian Importer	Fixing	VCID-17td-zhva-7fc1	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:57:43.367290+00:00	Debian Importer	Fixing	VCID-k32r-azxg-9yh3	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:57:43.107503+00:00	Debian Importer	Fixing	VCID-ykdv-43ha-muhg	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:57:41.477514+00:00	Debian Importer	Fixing	VCID-rtzg-kdyv-kyfk	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:57:41.436753+00:00	Debian Importer	Fixing	VCID-56vb-qqan-6fcd	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:57:41.396102+00:00	Debian Importer	Fixing	VCID-pq7n-tyq2-xucr	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:57:41.354480+00:00	Debian Importer	Fixing	VCID-dusy-ap5e-kyea	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:57:41.313089+00:00	Debian Importer	Fixing	VCID-1uk4-yg8u-kyck	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:57:41.271587+00:00	Debian Importer	Fixing	VCID-f72k-wxht-zka6	https://security-tracker.debian.org/tracker/data/json	38.1.0