Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-u24a-2khf-uyba
Vulnerability ID VCID-u24a-2khf-uyba
Aliases CVE-2023-6937
Summary wolfSSL prior to 5.6.6 did not check that messages in one (D)TLS record do not span key boundaries. As a result, it was possible to combine (D)TLS messages using different keys into one (D)TLS record. The most extreme edge case is that, in (D)TLS 1.3, it was possible that an unencrypted (D)TLS 1.3 record from the server containing first a ServerHello message and then the rest of the first server flight would be accepted by a wolfSSL client. In (D)TLS 1.3 the handshake is encrypted after the ServerHello but a wolfSSL client would accept an unencrypted flight from the server. This does not compromise key negotiation and authentication so it is assigned a low severity rating.
Status Published
Exploitability 0.5
Weighted Severity 4.8
Risk 2.4
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-20 Improper Input Validation
System Score Found at
epss 0.00442 https://api.first.org/data/v1/epss?cve=CVE-2023-6937
epss 0.00442 https://api.first.org/data/v1/epss?cve=CVE-2023-6937
epss 0.00442 https://api.first.org/data/v1/epss?cve=CVE-2023-6937
epss 0.00442 https://api.first.org/data/v1/epss?cve=CVE-2023-6937
epss 0.00442 https://api.first.org/data/v1/epss?cve=CVE-2023-6937
epss 0.00442 https://api.first.org/data/v1/epss?cve=CVE-2023-6937
epss 0.00442 https://api.first.org/data/v1/epss?cve=CVE-2023-6937
epss 0.00442 https://api.first.org/data/v1/epss?cve=CVE-2023-6937
epss 0.00442 https://api.first.org/data/v1/epss?cve=CVE-2023-6937
epss 0.00442 https://api.first.org/data/v1/epss?cve=CVE-2023-6937
epss 0.00442 https://api.first.org/data/v1/epss?cve=CVE-2023-6937
epss 0.00442 https://api.first.org/data/v1/epss?cve=CVE-2023-6937
epss 0.00442 https://api.first.org/data/v1/epss?cve=CVE-2023-6937
cvssv3.1 5.3 https://github.com/wolfSSL/wolfssl/pull/7029
ssvc Track https://github.com/wolfSSL/wolfssl/pull/7029
cvssv3.1 5.3 https://www.wolfssl.com/docs/security-vulnerabilities/
ssvc Track https://www.wolfssl.com/docs/security-vulnerabilities/
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2023-6937
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6937
1059357 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059357
7029 https://github.com/wolfSSL/wolfssl/pull/7029
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/wolfSSL/wolfssl/pull/7029
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-24T15:13:21Z/ Found at https://github.com/wolfSSL/wolfssl/pull/7029
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://www.wolfssl.com/docs/security-vulnerabilities/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-24T15:13:21Z/ Found at https://www.wolfssl.com/docs/security-vulnerabilities/
Exploit Prediction Scoring System (EPSS)
Percentile 0.63219
EPSS Score 0.00442
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T16:37:09.476136+00:00 Debian Oval Importer Import https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.0.0