Search for packages
| purl | pkg:deb/debian/wolfssl@4.6.0%2Bp1-0%2Bdeb11u2?distro=trixie |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1u3q-52yd-1bhe
Aliases: CVE-2024-5991 |
In function MatchDomainName(), input param str is treated as a NULL terminated string despite being user provided and unchecked. Specifically, the function X509_check_host() takes in a pointer and length to check against, with no requirements that it be NULL terminated. If a caller was attempting to do a name check on a non-NULL terminated buffer, the code would read beyond the bounds of the input array until it found a NULL terminator.This issue affects wolfSSL: through 5.7.0. |
Affected by 0 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-24s5-d6jt-4kfe
Aliases: CVE-2023-6936 |
In wolfSSL prior to 5.6.6, if callback functions are enabled (via the WOLFSSL_CALLBACKS flag), then a malicious TLS client or network attacker can trigger a buffer over-read on the heap of 5 bytes (WOLFSSL_CALLBACKS is only intended for debugging). |
Affected by 0 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-2ry7-trrg-gfdk
Aliases: CVE-2026-3547 |
Out-of-bounds read in ALPN parsing due to incomplete validation. wolfSSL 5.8.4 and earlier contained an out-of-bounds read in ALPN handling when built with ALPN enabled (HAVE_ALPN / --enable-alpn). A crafted ALPN protocol list could trigger an out-of-bounds read, leading to a potential process crash (denial of service). Note that ALPN is disabled by default, but is enabled for these 3rd party compatibility features: enable-apachehttpd, enable-bind, enable-curl, enable-haproxy, enable-hitch, enable-lighty, enable-jni, enable-nginx, enable-quic. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-47nm-nte5-27fm
Aliases: CVE-2024-1545 |
Fault Injection vulnerability in RsaPrivateDecryption function in wolfssl/wolfcrypt/src/rsa.c in WolfSSL wolfssl5.6.6 on Linux/Windows allows remote attacker co-resides in the same system with a victim process to disclose information and escalate privileges via Rowhammer fault injection to the RsaKey structure. |
Affected by 0 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-4zda-zrq6-hbc8
Aliases: CVE-2026-3579 |
wolfSSL 5.8.4 on RISC-V RV32I architectures lacks a constant-time software implementation for 64-bit multiplication. The compiler-inserted __muldi3 subroutine executes in variable time based on operand values. This affects multiple SP math functions (sp_256_mul_9, sp_256_sqr_9, etc.), leading to a timing side-channel that may expose sensitive cryptographic data. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-6n4g-us9a-53g4
Aliases: CVE-2022-38152 |
An issue was discovered in wolfSSL before 5.5.0. When a TLS 1.3 client connects to a wolfSSL server and SSL_clear is called on its session, the server crashes with a segmentation fault. This occurs in the second session, which is created through TLS session resumption and reuses the initial struct WOLFSSL. If the server reuses the previous session structure (struct WOLFSSL) by calling wolfSSL_clear(WOLFSSL* ssl) on it, the next received Client Hello (that resumes the previous session) crashes the server. Note that this bug is only triggered when resuming sessions using TLS session resumption. Only servers that use wolfSSL_clear instead of the recommended SSL_free; SSL_new sequence are affected. Furthermore, wolfSSL_clear is part of wolfSSL's compatibility layer and is not enabled by default. It is not part of wolfSSL's native API. |
Affected by 0 other vulnerabilities. Affected by 35 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-6v8z-cfax-zqbh
Aliases: CVE-2026-2645 |
In wolfSSL 5.8.2 and earlier, a logic flaw existed in the TLS 1.2 server state machine implementation. The server could incorrectly accept the CertificateVerify message before the ClientKeyExchange message had been received. This issue affects wolfSSL before 5.8.4 (wolfSSL 5.8.2 and earlier is vulnerable, 5.8.4 is not vulnerable). In 5.8.4 wolfSSL would detect the issue later in the handshake. 5.9.0 was further hardened to catch the issue earlier in the handshake. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-7xbp-qkvv-bqgm
Aliases: CVE-2024-1543 |
The side-channel protected T-Table implementation in wolfSSL up to version 5.6.5 protects against a side-channel attacker with cache-line resolution. In a controlled environment such as Intel SGX, an attacker can gain a per instruction sub-cache-line resolution allowing them to break the cache-line-level protection. For details on the attack refer to: https://doi.org/10.46586/tches.v2024.i1.457-500 |
Affected by 0 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-8735-ectc-j7a3
Aliases: CVE-2025-12889 |
With TLS 1.2 connections a client can use any digest, specifically a weaker digest that is supported, rather than those in the CertificateRequest. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-9hdy-aqa2-w3bd
Aliases: CVE-2024-5814 |
A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and achieve a successful connection. This is because, aside from the extensions, the client was skipping fully parsing the server hello. https://doi.org/10.46586/tches.v2024.i1.457-500 |
Affected by 0 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-9jpj-dfsf-qkce
Aliases: CVE-2026-1005 |
Integer underflow in wolfSSL packet sniffer <= 5.8.4 allows an attacker to cause a buffer overflow in the AEAD decryption path by injecting a TLS record shorter than the explicit IV plus authentication tag into traffic inspected by ssl_DecodePacket. The underflow wraps a 16-bit length to a large value that is passed to AEAD decryption routines, causing heap buffer overflow and a crash. An unauthenticated attacker can trigger this remotely via malformed TLS Application Data records. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-9jw2-3v9v-ruap
Aliases: CVE-2026-3503 |
Protection mechanism failure in wolfCrypt post-quantum implementations (ML-KEM and ML-DSA) in wolfSSL on ARM Cortex-M microcontrollers allows a physical attacker to compromise key material and/or cryptographic outcomes via induced transient faults that corrupt or redirect seed/pointer values during Keccak-based expansion. This issue affects wolfSSL (wolfCrypt): commit hash d86575c766e6e67ef93545fa69c04d6eb49400c6. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-9kev-ferz-5bhr
Aliases: CVE-2025-13912 |
Multiple constant-time implementations in wolfSSL before version 5.8.4 may be transformed into non-constant-time binary by LLVM optimizations, which can potentially result in observable timing discrepancies and lead to information disclosure through timing side-channel attacks. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-9x14-2t7m-1kbm
Aliases: CVE-2026-3549 |
Heap Overflow in TLS 1.3 ECH parsing. An integer underflow existed in ECH extension parsing logic when calculating a buffer length, which resulted in writing beyond the bounds of an allocated buffer. Note that in wolfSSL, ECH is off by default, and the ECH standard is still evolving. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-cum2-vp1j-syfc
Aliases: CVE-2022-34293 |
wolfSSL before 5.4.0 allows remote attackers to cause a denial of service via DTLS because a check for return-routability can be skipped. |
Affected by 0 other vulnerabilities. Affected by 35 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-cxhw-3w24-dkes
Aliases: CVE-2025-11932 |
The server previously verified the TLS 1.3 PSK binder using a non-constant time method which could potentially leak information about the PSK binder |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-dpu2-4w42-kygw
Aliases: CVE-2024-1544 |
Generating the ECDSA nonce k samples a random number r and then truncates this randomness with a modular reduction mod n where n is the order of the elliptic curve. Meaning k = r mod n. The division used during the reduction estimates a factor q_e by dividing the upper two digits (a digit having e.g. a size of 8 byte) of r by the upper digit of n and then decrements q_e in a loop until it has the correct size. Observing the number of times q_e is decremented through a control-flow revealing side-channel reveals a bias in the most significant bits of k. Depending on the curve this is either a negligible bias or a significant bias large enough to reconstruct k with lattice reduction methods. For SECP160R1, e.g., we find a bias of 15 bits. |
Affected by 0 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-euma-vgqx-sbau
Aliases: CVE-2024-2881 |
Fault Injection vulnerability in wc_ed25519_sign_msg function in wolfssl/wolfcrypt/src/ed25519.c in WolfSSL wolfssl5.6.6 on Linux/Windows allows remote attacker co-resides in the same system with a victim process to disclose information and escalate privileges via Rowhammer fault injection to the ed25519_key structure. |
Affected by 0 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-f4gq-hqcp-dqe2
Aliases: CVE-2025-7394 |
In the OpenSSL compatibility layer implementation, the function RAND_poll() was not behaving as expected and leading to the potential for predictable values returned from RAND_bytes() after fork() is called. This can lead to weak or predictable random numbers generated in applications that are both using RAND_bytes() and doing fork() operations. This only affects applications explicitly calling RAND_bytes() after fork() and does not affect any internal TLS operations. Although RAND_bytes() documentation in OpenSSL calls out not being safe for use with fork() without first calling RAND_poll(), an additional code change was also made in wolfSSL to make RAND_bytes() behave similar to OpenSSL after a fork() call without calling RAND_poll(). Now the Hash-DRBG used gets reseeded after detecting running in a new process. If making use of RAND_bytes() and calling fork() we recommend updating to the latest version of wolfSSL. Thanks to Per Allansson from Appgate for the report. |
Affected by 35 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-f57c-kamk-3bct
Aliases: CVE-2026-4159 |
1-byte OOB heap read in wc_PKCS7_DecodeEnvelopedData via zero-length encrypted content. A vulnerability existed in wolfSSL 5.8.4 and earlier, where a 1-byte out-of-bounds heap read in wc_PKCS7_DecodeEnvelopedData could be triggered by a crafted CMS EnvelopedData message with zero-length encrypted content. Note that PKCS7 support is disabled by default. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-fmtp-x6y7-83g1
Aliases: CVE-2026-3548 |
Two buffer overflow vulnerabilities existed in the wolfSSL CRL parser when parsing CRL numbers: a heap-based buffer overflow could occur when improperly storing the CRL number as a hexadecimal string, and a stack-based overflow for sufficiently sized CRL numbers. With appropriately crafted CRLs, either of these out of bound writes could be triggered. Note this only affects builds that specifically enable CRL support, and the user would need to load a CRL from an untrusted source. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-gcfd-w8je-kqfm
Aliases: CVE-2025-11935 |
With TLS 1.3 pre-shared key (PSK) a malicious or faulty server could ignore the request for PFS (perfect forward secrecy) and the client would continue on with the connection using PSK without PFS. This happened when a server responded to a ClientHello containing psk_dhe_ke without a key_share extension. The re-use of an authenticated PSK connection that on the clients side unexpectedly did not have PFS, reduces the security of the connection. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-gdur-h588-vbb6
Aliases: CVE-2025-11934 |
Improper input validation in the TLS 1.3 CertificateVerify signature algorithm negotiation in wolfSSL 5.8.2 and earlier on multiple platforms allows for downgrading the signature algorithm used. For example when a client sends ECDSA P521 as the supported signature algorithm the server previously could respond as ECDSA P256 being the accepted signature algorithm and the connection would continue with using ECDSA P256, if the client supports ECDSA P256. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-gmdj-a1ys-tqc2
Aliases: CVE-2026-3849 |
Stack Buffer Overflow in wc_HpkeLabeledExtract via Oversized ECH Config. A vulnerability existed in wolfSSL 5.8.4 ECH (Encrypted Client Hello) support, where a maliciously crafted ECH config could cause a stack buffer overflow on the client side, leading to potential remote execution and client program crash. This could be exploited by a malicious TLS server supporting ECH. Note that ECH is off by default, and is only enabled with enable-ech. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-h6na-nxxq-5yg9
Aliases: CVE-2026-0819 |
A stack buffer overflow vulnerability exists in wolfSSL's PKCS7 SignedData encoding functionality. In wc_PKCS7_BuildSignedAttributes(), when adding custom signed attributes, the code passes an incorrect capacity value (esd->signedAttribsCount) to EncodeAttributes() instead of the remaining available space in the fixed-size signedAttribs[7] array. When an application sets pkcs7->signedAttribsSz to a value greater than MAX_SIGNED_ATTRIBS_SZ (default 7) minus the number of default attributes already added, EncodeAttributes() writes beyond the array bounds, causing stack memory corruption. In WOLFSSL_SMALL_STACK builds, this becomes heap corruption. Exploitation requires an application that allows untrusted input to control the signedAttribs array size when calling wc_PKCS7_EncodeSignedData() or related signing functions. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-hk8r-kk4v-1fa7
Aliases: CVE-2025-12888 |
Vulnerability in X25519 constant-time cryptographic implementations due to timing side channels introduced by compiler optimizations and CPU architecture limitations, specifically with the Xtensa-based ESP32 chips. If targeting Xtensa it is recommended to use the low memory implementations of X25519, which is now turned on as the default for Xtensa. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-jxf4-y1au-5bhw
Aliases: CVE-2026-4395 |
Heap-based buffer overflow in the KCAPI ECC code path of wc_ecc_import_x963_ex() in wolfSSL wolfcrypt allows a remote attacker to write attacker-controlled data past the bounds of the pubkey_raw buffer via a crafted oversized EC public key point. The WOLFSSL_KCAPI_ECC code path copies the input to key->pubkey_raw (132 bytes) using XMEMCPY without a bounds check, unlike the ATECC code path which includes a length validation. This can be triggered during TLS key exchange when a malicious peer sends a crafted ECPoint in ServerKeyExchange. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-khur-3ax7-9fhb
Aliases: CVE-2025-11931 |
Integer Underflow Leads to Out-of-Bounds Access in XChaCha20-Poly1305 Decrypt. This issue is hit specifically with a call to the function wc_XChaCha20Poly1305_Decrypt() which is not used with TLS connections, only from direct calls from an application. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-n64w-nq6a-m7bv
Aliases: CVE-2026-3580 |
In wolfSSL 5.8.4, constant-time masking logic in sp_256_get_entry_256_9 is optimized into conditional branches (bnez) by GCC when targeting RISC-V RV32I with -O3. This transformation breaks the side-channel resistance of ECC scalar multiplication, potentially allowing a local attacker to recover secret keys via timing analysis. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-njbj-f91t-b7f4
Aliases: CVE-2025-11933 |
Improper Input Validation in the TLS 1.3 CKS extension parsing in wolfSSL 5.8.2 and earlier on multiple platforms allows a remote unauthenticated attacker to potentially cause a denial-of-service via a crafted ClientHello message with duplicate CKS extensions. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-su8x-6n42-n3d5
Aliases: CVE-2024-0901 |
Remotely executed SEGV and out of bounds read allows malicious packet sender to crash or cause an out of bounds read via sending a malformed packet with the correct length. |
Affected by 0 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-u24a-2khf-uyba
Aliases: CVE-2023-6937 |
wolfSSL prior to 5.6.6 did not check that messages in one (D)TLS record do not span key boundaries. As a result, it was possible to combine (D)TLS messages using different keys into one (D)TLS record. The most extreme edge case is that, in (D)TLS 1.3, it was possible that an unencrypted (D)TLS 1.3 record from the server containing first a ServerHello message and then the rest of the first server flight would be accepted by a wolfSSL client. In (D)TLS 1.3 the handshake is encrypted after the ServerHello but a wolfSSL client would accept an unencrypted flight from the server. This does not compromise key negotiation and authentication so it is assigned a low severity rating. |
Affected by 0 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-uvht-9bt9-hfbb
Aliases: CVE-2026-3230 |
Missing required cryptographic step in the TLS 1.3 client HelloRetryRequest handshake logic in wolfSSL could lead to a compromise in the confidentiality of TLS-protected communications via a crafted HelloRetryRequest followed by a ServerHello message that omits the required key_share extension, resulting in derivation of predictable traffic secrets from (EC)DHE shared secret. This issue does not affect the client's authentication of the server during TLS handshakes. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-v3m6-zajw-bfhb
Aliases: CVE-2026-3229 |
An integer overflow vulnerability existed in the static function wolfssl_add_to_chain, that caused heap corruption when certificate data was written out of bounds of an insufficiently sized certificate buffer. wolfssl_add_to_chain is called by these API: wolfSSL_CTX_add_extra_chain_cert, wolfSSL_CTX_add1_chain_cert, wolfSSL_add0_chain_cert. These API are enabled for 3rd party compatibility features: enable-opensslall, enable-opensslextra, enable-lighty, enable-stunnel, enable-nginx, enable-haproxy. This issue is not remotely exploitable, and would require that the application context loading certificates is compromised. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-xfgd-4hs3-vygk
Aliases: CVE-2024-5288 |
An issue was discovered in wolfSSL before 5.7.0. A safe-error attack via Rowhammer, namely FAULT+PROBE, leads to ECDSA key disclosure. When WOLFSSL_CHECK_SIG_FAULTS is used in signing operations with private ECC keys, such as in server-side TLS connections, the connection is halted if any fault occurs. The success rate in a certain amount of connection requests can be processed via an advanced technique for ECDSA key recovery. |
Affected by 0 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-xuyn-pjpb-g7du
Aliases: CVE-2026-2646 |
A heap-buffer-overflow vulnerability exists in wolfSSL's wolfSSL_d2i_SSL_SESSION() function. When deserializing session data with SESSION_CERTS enabled, certificate and session id lengths are read from an untrusted input without bounds validation, allowing an attacker to overflow fixed-size buffers and corrupt heap memory. A maliciously crafted session would need to be loaded from an external source to trigger this vulnerability. Internal sessions were not vulnerable. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-xxkx-w5pc-5uap
Aliases: CVE-2025-11936 |
Improper input validation in the TLS 1.3 KeyShareEntry parsing in wolfSSL v5.8.2 on multiple platforms allows a remote unauthenticated attacker to cause a denial-of-service by sending a crafted ClientHello message containing duplicate KeyShareEntry values for the same supported group, leading to excessive CPU and memory consumption during ClientHello processing. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-zhf4-y8v8-gubn
Aliases: CVE-2023-6935 |
wolfSSL SP Math All RSA implementation is vulnerable to the Marvin Attack, new variation of a timing Bleichenbacher style attack, when built with the following options to configure: --enable-all CFLAGS="-DWOLFSSL_STATIC_RSA" The define “WOLFSSL_STATIC_RSA” enables static RSA cipher suites, which is not recommended, and has been disabled by default since wolfSSL 3.6.6. Therefore the default build since 3.6.6, even with "--enable-all", is not vulnerable to the Marvin Attack. The vulnerability is specific to static RSA cipher suites, and expected to be padding-independent. The vulnerability allows an attacker to decrypt ciphertexts and forge signatures after probing with a large number of test observations. However the server’s private key is not exposed. |
Affected by 0 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-15fc-qcja-yfh6 | wolfCrypt leaks cryptographic information via timing side channel wolfSSL and wolfCrypt 4.0.0 and earlier (when configured without `--enable-fpecc`, `--enable-sp`, or` --enable-sp-math`) contain a timing side channel in ECDSA signature generation. This allows a local attacker, able to precisely measure the duration of signature operations, to infer information about the nonces used and potentially mount a lattice attack to recover the private key used. The issue occurs because ecc.c scalar multiplication might leak the bit length. |
CVE-2019-13628
GHSA-q95h-vc86-hv77 |
| VCID-17td-zhva-7fc1 | A certificate verification error in wolfSSL when building with the WOLFSSL_SYS_CA_CERTS and WOLFSSL_APPLE_NATIVE_CERT_VALIDATION options results in the wolfSSL client failing to properly verify the server certificate's domain name, allowing any certificate issued by a trusted CA to be accepted regardless of the hostname. |
CVE-2025-7395
|
| VCID-1uk4-yg8u-kyck | security update |
CVE-2014-6491
|
| VCID-3774-6bd4-8qcs | wolfSSL through 5.0.0 allows an attacker to cause a denial of service and infinite loop in the client component by sending crafted traffic from a Machine-in-the-Middle (MITM) position. The root cause is that the client module accepts TLS messages that normally are only sent to TLS servers. |
CVE-2021-44718
|
| VCID-3tpe-fc34-f7c2 | An issue was discovered in the DTLS handshake implementation in wolfSSL before 4.5.0. Clear DTLS application_data messages in epoch 0 do not produce an out-of-order error. Instead, these messages are returned to the application. |
CVE-2020-24585
|
| VCID-4h67-zsu4-c7dp | wolfSSL 4.1.0 has a one-byte heap-based buffer over-read in DecodeCertExtensions in wolfcrypt/src/asn.c because reading the ASN_BOOLEAN byte is mishandled for a crafted DER certificate in GetLength_ex. |
CVE-2019-15651
|
| VCID-4sc5-xnae-93ff | wolfSSL before 4.5.0 mishandles TLS 1.3 server data in the WAIT_CERT_CR state, within SanityCheckTls13MsgReceived() in tls13.c. This is an incorrect implementation of the TLS 1.3 client state machine. This allows attackers in a privileged network position to completely impersonate any TLS 1.3 servers, and read or modify potentially sensitive information between clients using the wolfSSL library and these TLS servers. |
CVE-2020-24613
|
| VCID-56vb-qqan-6fcd | security update |
CVE-2014-6496
|
| VCID-5wuh-hgt7-4qcj | wolfssl before 3.2.0 has a server certificate that is not properly authorized for server authentication. |
CVE-2014-2904
|
| VCID-6qxw-5u8d-sfhq | Information Exposure Through Discrepancy In wolfSSL, a side-channel vulnerability in base64 PEM file decoding allows system-level (administrator) attackers to obtain information about secret RSA keys via a controlled-channel and side-channel attack on software running in isolated environments that can be single stepped, especially Intel SGX. |
CVE-2021-24116
|
| VCID-6u9d-p6rs-mke3 | In wolfSSL before 4.3.0, wc_ecc_mulmod_ex does not properly resist side-channel attacks. |
CVE-2019-19960
|
| VCID-73c6-zn7h-6ude | In wolfSSL release 5.8.2 blinding support is turned on by default for Curve25519 in applicable builds. The blinding configure option is only for the base C implementation of Curve25519. It is not needed, or available with; ARM assembly builds, Intel assembly builds, and the small Curve25519 feature. While the side-channel attack on extracting a private key would be very difficult to execute in practice, enabling blinding provides an additional layer of protection for devices that may be more susceptible to physical access or side-channel observation. |
CVE-2025-7396
|
| VCID-7cuc-6hd9-bych | wolfcrypt/src/ecc.c in wolfSSL before 3.15.1.patch allows a memory-cache side-channel attack on ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host. |
CVE-2018-12436
|
| VCID-7ybv-yjyv-cucz | wolfSSL before 4.3.0 mishandles calls to wc_SignatureGenerateHash, leading to fault injection in RSA cryptography. |
CVE-2019-19962
|
| VCID-8krv-jqjg-uqc8 | security update |
CVE-2016-7440
|
| VCID-915b-q9gv-zugt | DoTls13CertificateVerify in tls13.c in wolfSSL before 4.7.0 does not cease processing for certain anomalous peer behavior (sending an ED22519, ED448, ECC, or RSA signature without the corresponding certificate). The client side is affected because man-in-the-middle attackers can impersonate TLS 1.3 servers. |
CVE-2021-3336
|
| VCID-9bqq-cr1k-2fhq | The C software implementation of ECC in wolfSSL (formerly CyaSSL) before 3.9.10 makes it easier for local users to discover RSA keys by leveraging cache-bank hit differences. |
CVE-2016-7438
|
| VCID-av4q-73pk-tucd | Improper Authentication In wolfSSL before 5.2.0, a TLS 1.3 server cannot properly enforce a requirement for mutual authentication. A client can simply omit the `certificate_verify` message from the handshake, and never present a certificate. |
CVE-2022-25640
|
| VCID-cd24-z82g-fuhm | wolfSSL (formerly CyaSSL) before 3.6.8 allows remote attackers to cause a denial of service (resource consumption or traffic amplification) via a crafted DTLS cookie in a ClientHello message. |
CVE-2015-6925
|
| VCID-dnrg-xpru-6qc8 | wolfSSL and wolfCrypt 4.1.0 and earlier (formerly known as CyaSSL) generate biased DSA nonces. This allows a remote attacker to compute the long term private key from several hundred DSA signatures via a lattice attack. The issue occurs because dsa.c fixes two bits of the generated nonces. |
CVE-2019-14317
|
| VCID-dusy-ap5e-kyea | security update |
CVE-2014-6494
|
| VCID-dwyw-64yp-vygf | In wolfSSL 4.1.0 through 4.2.0c, there are missing sanity checks of memory accesses in parsing ASN.1 certificate data while handshaking. Specifically, there is a one-byte heap-based buffer overflow inside the DecodedCert structure in GetName in wolfcrypt/src/asn.c because the domain name location index is mishandled. Because a pointer is overwritten, there is an invalid free. |
CVE-2019-18840
|
| VCID-f72k-wxht-zka6 | security update |
CVE-2014-6478
|
| VCID-fczc-rsag-5bdq | A specially crafted x509 certificate can cause a single out of bounds byte overwrite in wolfSSL through 3.10.2 resulting in potential certificate validation vulnerabilities, denial of service and possible remote code execution. In order to trigger this vulnerability, the attacker needs to supply a malicious x509 certificate to either a server or a client application using this library. |
CVE-2017-2800
|
| VCID-fqx3-he5r-ekhp | wolfSSL 4.3.0 has mulmod code in wc_ecc_mulmod_ex in ecc.c that does not properly resist timing side-channel attacks. |
CVE-2020-11713
|
| VCID-fzq1-jbg2-q3b4 | In wolfSSL through 4.1.0, there is a missing sanity check of memory accesses in parsing ASN.1 certificate data while handshaking. Specifically, there is a one-byte heap-based buffer over-read in CheckCertSignature_ex in wolfcrypt/src/asn.c. |
CVE-2019-16748
|
| VCID-g272-dr17-7qbu | wolfSSL before 3.11.0 does not prevent wc_DhAgree from accepting a malformed DH key. |
CVE-2017-8855
|
| VCID-h2vp-p7fd-7bev | Improper Handling of Exceptional Conditions wolfSSL does not produce a failure outcome when the serial number in an OCSP request differs from the serial number in the OCSP response. |
CVE-2021-37155
|
| VCID-hguq-mr6k-jqd3 | Improper Certificate Validation If a TLS 1.3 client gets neither a PSK (pre shared key) extension nor a KSE (key share extension) when connecting to a malicious server, a default predictable buffer gets used for the IKM (Input Keying Material) value when generating the session master secret. Using a potentially known IKM value when generating the session master secret key compromises the key generated, allowing an eavesdropper to reconstruct it and potentially allowing access to or meddling with message contents in the session. This issue does not affect client validation of connected servers, nor expose private key information, but could result in an insecure TLS 1.3 session when not controlling both sides of the connection. wolfSSL recommends that TLS 1.3 client side users update the version of wolfSSL used. |
CVE-2023-3724
|
| VCID-jcyf-gcxb-7ucj | CyaSSL does not check the key usage extension in leaf certificates, which allows remote attackers to spoof servers via a crafted server certificate not authorized for use in an SSL/TLS handshake. |
CVE-2014-2903
|
| VCID-k1q1-y9ne-wuh7 | An issue was discovered in wolfSSL before 4.5.0, when single precision is not employed. Local attackers can conduct a cache-timing attack against public key operations. These attackers may already have obtained sensitive information if the affected system has been used for private key operations (e.g., signing with a private key). |
CVE-2020-15309
|
| VCID-k32r-azxg-9yh3 | An issue was discovered in wolfSSL before 5.5.0 (when --enable-session-ticket is used); however, only version 5.3.0 is exploitable. Man-in-the-middle attackers or a malicious server can crash TLS 1.2 clients during a handshake. If an attacker injects a large ticket (more than 256 bytes) into a NewSessionTicket message in a TLS 1.2 handshake, and the client has a non-empty session cache, the session cache frees a pointer that points to unallocated memory, causing the client to crash with a "free(): invalid pointer" message. NOTE: It is likely that this is also exploitable during TLS 1.3 handshakes between a client and a malicious server. With TLS 1.3, it is not possible to exploit this as a man-in-the-middle. |
CVE-2022-38153
|
| VCID-k6pn-fcqq-q7hs | It was found that wolfssl before 3.15.7 is vulnerable to a new variant of the Bleichenbacher attack to perform downgrade attacks against TLS. This may lead to leakage of sensible data. |
CVE-2018-16870
|
| VCID-kksg-tc63-23bm | In wolfSSL before 5.5.1, malicious clients can cause a buffer overflow during a TLS 1.3 handshake. This occurs when an attacker supposedly resumes a previous TLS session. During the resumption Client Hello a Hello Retry Request must be triggered. Both Client Hellos are required to contain a list of duplicate cipher suites to trigger the buffer overflow. In total, two Client Hellos have to be sent: one in the resumed session, and a second one as a response to a Hello Retry Request message. |
CVE-2022-39173
|
| VCID-ktqb-4xkh-jkc4 | wolfssl before 3.2.0 does not properly authorize CA certificate for signing other certificates. |
CVE-2014-2902
|
| VCID-mtcu-yhz9-c7b8 | Improper Certificate Validation In wolfSSL before 5.2.0, certificate validation may be bypassed during attempted authentication by a TLS 1.3 client to a TLS 1.3 server. This occurs when the `sig_algo` field differs between the `certificate_verify` message and the certificate message. |
CVE-2022-25638
|
| VCID-pq7n-tyq2-xucr | security update |
CVE-2014-6495
|
| VCID-pqgw-v173-6kgh | In versions of wolfSSL before 3.10.2 the function fp_mul_comba makes it easier to extract RSA key information for a malicious user who has access to view cache on a machine. |
CVE-2017-6076
|
| VCID-ptst-vmw7-rbbs | The private-key operations in ecc.c in wolfSSL before 4.4.0 do not use a constant-time modular inverse when mapping to affine coordinates, aka a "projective coordinates leak." |
CVE-2020-11735
|
| VCID-r73s-x7et-f7b1 | An issue was discovered in wolfSSL before 4.3.0 in a non-default configuration where DSA is enabled. DSA signing uses the BEEA algorithm during modular inversion of the nonce, leading to a side-channel attack against the nonce. |
CVE-2019-19963
|
| VCID-rtzg-kdyv-kyfk | security update |
CVE-2014-6500
|
| VCID-s7rc-gze6-eqa6 | wolfSSL before 3.10.2 has an out-of-bounds memory access with loading crafted DH parameters, aka a buffer overflow triggered by a malformed temporary DH file. |
CVE-2017-8854
|
| VCID-ta4b-he3j-jya7 | wolfssl before 3.2.0 does not properly issue certificates for a server's hostname. |
CVE-2014-2901
|
| VCID-u1xz-kt5a-ybbv | examples/benchmark/tls_bench.c in a benchmark tool in wolfSSL through 3.15.7 has a heap-based buffer overflow. |
CVE-2019-6439
|
| VCID-u8tr-grjg-j7hr | RsaPad_PSS in wolfcrypt/src/rsa.c in wolfSSL before 4.6.0 has an out-of-bounds write for certain relationships between key size and digest size. |
CVE-2020-36177
|
| VCID-ubye-e3yx-pfbb | In wolfSSL before 5.5.2, if callback functions are enabled (via the WOLFSSL_CALLBACKS flag), then a malicious TLS 1.3 client or network attacker can trigger a buffer over-read on the heap of 5 bytes. (WOLFSSL_CALLBACKS is only intended for debugging.) |
CVE-2022-42905
|
| VCID-v5gp-x49d-bbcg | wolfSSL: insufficient hardening of RSA-CRT implementation (Oracle MySQL CPU Jan 2016) |
CVE-2015-7744
|
| VCID-vj57-tszp-ruaf | wolfSSL 4.0.0 has a Buffer Overflow in DoPreSharedKeys in tls13.c when a current identity size is greater than a client identity size. An attacker sends a crafted hello client packet over the network to a TLSv1.3 wolfSSL server. The length fields of the packet: record length, client hello length, total extensions length, PSK extension length, total identity length, and identity length contain their maximum value which is 2^16. The identity data field of the PSK extension of the packet contains the attack data, to be stored in the undefined memory (RAM) of the server. The size of the data is about 65 kB. Possibly the attacker can perform a remote code execution attack. |
CVE-2019-11873
|
| VCID-w49t-kp2a-efh3 | wolfSSL prior to version 3.12.2 provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable wolfSSL application. This vulnerability is referred to as "ROBOT." |
CVE-2017-13099
|
| VCID-x4tg-m9be-2yfe | An issue was discovered in wolfSSL before 5.5.0. A fault injection attack on RAM via Rowhammer leads to ECDSA key disclosure. Users performing signing operations with private ECC keys, such as in server-side TLS connections, might leak faulty ECC signatures. These signatures can be processed via an advanced technique for ECDSA key recovery. (In 5.5.0 and later, WOLFSSL_CHECK_SIG_FAULTS can be used to address the vulnerability.) |
CVE-2022-42961
|
| VCID-xap5-djda-2uem | Multiple vulnerabilities have been found in Oracle JRE/JDK, allowing both local and remote attackers to compromise various Java components. |
CVE-2014-3566
|
| VCID-y7jq-khf1-97gj | An issue was discovered in wolfSSL before 4.5.0. It mishandles the change_cipher_spec (CCS) message processing logic for TLS 1.3. If an attacker sends ChangeCipherSpec messages in a crafted way involving more than one in a row, the server becomes stuck in the ProcessReply() loop, i.e., a denial of service. |
CVE-2020-12457
|
| VCID-ykdv-43ha-muhg | Use of Insufficiently Random Values wolfSSL uses non-random IV values in certain situations. This affects connections (without AEAD) using AES-CBC or DES3 with TLS or DTLS This occurs because of misplaced memory initialization in BuildMessage in internal.c. |
CVE-2022-23408
|
| VCID-yyy6-k4y2-s3ep | Insufficient Verification of Data Authenticity wolfSSL incorrectly skips OCSP verification in certain situations of irrelevant response data that contains the NoCheck extension. |
CVE-2021-38597
|
| VCID-zfyg-ffzg-myd7 | The C software implementation of RSA in wolfSSL (formerly CyaSSL) before 3.9.10 makes it easier for local users to discover RSA keys by leveraging cache-bank hit differences. |
CVE-2016-7439
|