Search for packages
| purl | pkg:deb/debian/wolfssl@4.6.0%2Bp1-0%2Bdeb11u2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-15fz-hhc7-kyaa
Aliases: CVE-2026-5194 |
wolfSSL: wolfSSL: Reduced security of ECDSA authentication via missing digest size checks |
Affected by 0 other vulnerabilities. |
|
VCID-1u3q-52yd-1bhe
Aliases: CVE-2024-5991 |
In function MatchDomainName(), input param str is treated as a NULL terminated string despite being user provided and unchecked. Specifically, the function X509_check_host() takes in a pointer and length to check against, with no requirements that it be NULL terminated. If a caller was attempting to do a name check on a non-NULL terminated buffer, the code would read beyond the bounds of the input array until it found a NULL terminator.This issue affects wolfSSL: through 5.7.0. |
Affected by 46 other vulnerabilities. |
|
VCID-24mg-wn6a-6bew
Aliases: CVE-2026-5393 |
Dual-Algorithm CertificateVerify out-of-bounds read. When processing a dual-algorithm CertificateVerify message, an out-of-bounds read can occur on crafted input. This can only occur when --enable-experimental and --enable-dual-alg-certs is used when building wolfSSL. |
Affected by 0 other vulnerabilities. |
|
VCID-24s5-d6jt-4kfe
Aliases: CVE-2023-6936 |
In wolfSSL prior to 5.6.6, if callback functions are enabled (via the WOLFSSL_CALLBACKS flag), then a malicious TLS client or network attacker can trigger a buffer over-read on the heap of 5 bytes (WOLFSSL_CALLBACKS is only intended for debugging). |
Affected by 46 other vulnerabilities. |
|
VCID-2ry7-trrg-gfdk
Aliases: CVE-2026-3547 |
Out-of-bounds read in ALPN parsing due to incomplete validation. wolfSSL 5.8.4 and earlier contained an out-of-bounds read in ALPN handling when built with ALPN enabled (HAVE_ALPN / --enable-alpn). A crafted ALPN protocol list could trigger an out-of-bounds read, leading to a potential process crash (denial of service). Note that ALPN is disabled by default, but is enabled for these 3rd party compatibility features: enable-apachehttpd, enable-bind, enable-curl, enable-haproxy, enable-hitch, enable-lighty, enable-jni, enable-nginx, enable-quic. |
Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-3gve-u4f4-bkht
Aliases: CVE-2026-5392 |
Heap out-of-bounds read in PKCS7 parsing. A crafted PKCS7 message can trigger an OOB read on the heap. The missing bounds check is in the indefinite-length end-of-content verification loop in PKCS7_VerifySignedData(). |
Affected by 0 other vulnerabilities. |
|
VCID-47nm-nte5-27fm
Aliases: CVE-2024-1545 |
Fault Injection vulnerability in RsaPrivateDecryption function in wolfssl/wolfcrypt/src/rsa.c in WolfSSL wolfssl5.6.6 on Linux/Windows allows remote attacker co-resides in the same system with a victim process to disclose information and escalate privileges via Rowhammer fault injection to the RsaKey structure. |
Affected by 46 other vulnerabilities. |
|
VCID-4zda-zrq6-hbc8
Aliases: CVE-2026-3579 |
wolfSSL 5.8.4 on RISC-V RV32I architectures lacks a constant-time software implementation for 64-bit multiplication. The compiler-inserted __muldi3 subroutine executes in variable time based on operand values. This affects multiple SP math functions (sp_256_mul_9, sp_256_sqr_9, etc.), leading to a timing side-channel that may expose sensitive cryptographic data. |
Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-4zyq-af27-yqa4
Aliases: CVE-2026-5772 |
A 1-byte stack buffer over-read was identified in the MatchDomainName function (src/internal.c) during wildcard hostname validation when the LEFT_MOST_WILDCARD_ONLY flag is active. If a wildcard * exhausts the entire hostname string, the function reads one byte past the buffer without a bounds check, which could cause a crash. |
Affected by 0 other vulnerabilities. |
|
VCID-6n4g-us9a-53g4
Aliases: CVE-2022-38152 |
An issue was discovered in wolfSSL before 5.5.0. When a TLS 1.3 client connects to a wolfSSL server and SSL_clear is called on its session, the server crashes with a segmentation fault. This occurs in the second session, which is created through TLS session resumption and reuses the initial struct WOLFSSL. If the server reuses the previous session structure (struct WOLFSSL) by calling wolfSSL_clear(WOLFSSL* ssl) on it, the next received Client Hello (that resumes the previous session) crashes the server. Note that this bug is only triggered when resuming sessions using TLS session resumption. Only servers that use wolfSSL_clear instead of the recommended SSL_free; SSL_new sequence are affected. Furthermore, wolfSSL_clear is part of wolfSSL's compatibility layer and is not enabled by default. It is not part of wolfSSL's native API. |
Affected by 57 other vulnerabilities. |
|
VCID-6v8z-cfax-zqbh
Aliases: CVE-2026-2645 |
In wolfSSL 5.8.2 and earlier, a logic flaw existed in the TLS 1.2 server state machine implementation. The server could incorrectly accept the CertificateVerify message before the ClientKeyExchange message had been received. This issue affects wolfSSL before 5.8.4 (wolfSSL 5.8.2 and earlier is vulnerable, 5.8.4 is not vulnerable). In 5.8.4 wolfSSL would detect the issue later in the handshake. 5.9.0 was further hardened to catch the issue earlier in the handshake. |
Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-75y2-h9uk-n3a6
Aliases: CVE-2026-5188 |
An integer underflow issue exists in wolfSSL when parsing the Subject Alternative Name (SAN) extension of X.509 certificates. A malformed certificate can specify an entry length larger than the enclosing sequence, causing the internal length counter to wrap during parsing. This results in incorrect handling of certificate data. The issue is limited to configurations using the original ASN.1 parsing implementation which is off by default. |
Affected by 0 other vulnerabilities. |
|
VCID-7xbp-qkvv-bqgm
Aliases: CVE-2024-1543 |
The side-channel protected T-Table implementation in wolfSSL up to version 5.6.5 protects against a side-channel attacker with cache-line resolution. In a controlled environment such as Intel SGX, an attacker can gain a per instruction sub-cache-line resolution allowing them to break the cache-line-level protection. For details on the attack refer to: https://doi.org/10.46586/tches.v2024.i1.457-500 |
Affected by 46 other vulnerabilities. |
|
VCID-8735-ectc-j7a3
Aliases: CVE-2025-12889 |
With TLS 1.2 connections a client can use any digest, specifically a weaker digest that is supported, rather than those in the CertificateRequest. |
Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-9hdy-aqa2-w3bd
Aliases: CVE-2024-5814 |
A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and achieve a successful connection. This is because, aside from the extensions, the client was skipping fully parsing the server hello. https://doi.org/10.46586/tches.v2024.i1.457-500 |
Affected by 46 other vulnerabilities. |
|
VCID-9jb1-k32z-w7gw
Aliases: CVE-2026-5507 |
When restoring a session from cache, a pointer from the serialized session data is used in a free operation without validation. An attacker who can poison the session cache could trigger an arbitrary free. Exploitation requires the ability to inject a crafted session into the cache and for the application to call specific session restore APIs. |
Affected by 0 other vulnerabilities. |
|
VCID-9jpj-dfsf-qkce
Aliases: CVE-2026-1005 |
Integer underflow in wolfSSL packet sniffer <= 5.8.4 allows an attacker to cause a buffer overflow in the AEAD decryption path by injecting a TLS record shorter than the explicit IV plus authentication tag into traffic inspected by ssl_DecodePacket. The underflow wraps a 16-bit length to a large value that is passed to AEAD decryption routines, causing heap buffer overflow and a crash. An unauthenticated attacker can trigger this remotely via malformed TLS Application Data records. |
Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-9jw2-3v9v-ruap
Aliases: CVE-2026-3503 |
Protection mechanism failure in wolfCrypt post-quantum implementations (ML-KEM and ML-DSA) in wolfSSL on ARM Cortex-M microcontrollers allows a physical attacker to compromise key material and/or cryptographic outcomes via induced transient faults that corrupt or redirect seed/pointer values during Keccak-based expansion. This issue affects wolfSSL (wolfCrypt): commit hash d86575c766e6e67ef93545fa69c04d6eb49400c6. |
Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-9kev-ferz-5bhr
Aliases: CVE-2025-13912 |
Multiple constant-time implementations in wolfSSL before version 5.8.4 may be transformed into non-constant-time binary by LLVM optimizations, which can potentially result in observable timing discrepancies and lead to information disclosure through timing side-channel attacks. |
Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-9x14-2t7m-1kbm
Aliases: CVE-2026-3549 |
Heap Overflow in TLS 1.3 ECH parsing. An integer underflow existed in ECH extension parsing logic when calculating a buffer length, which resulted in writing beyond the bounds of an allocated buffer. Note that in wolfSSL, ECH is off by default, and the ECH standard is still evolving. |
Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-bfap-h1d9-33dj
Aliases: CVE-2026-5504 |
A padding oracle exists in wolfSSL's PKCS7 CBC decryption that could allow an attacker to recover plaintext through repeated decryption queries with modified ciphertext. In previous versions of wolfSSL the interior padding bytes are not validated. |
Affected by 0 other vulnerabilities. |
|
VCID-cum2-vp1j-syfc
Aliases: CVE-2022-34293 |
wolfSSL before 5.4.0 allows remote attackers to cause a denial of service via DTLS because a check for return-routability can be skipped. |
Affected by 57 other vulnerabilities. |
|
VCID-cv4y-g4un-ckd4
Aliases: CVE-2026-5778 |
Integer underflow in wolfSSL packet sniffer <= 5.9.0 allows an attacker to cause a program crash in the AEAD decryption path by injecting a TLS record shorter than the explicit IV plus authentication tag into traffic inspected by ssl_DecodePacket. The underflow wraps a 16-bit length to a large value that is passed to AEAD decryption routines, causing a large out-of-bounds read and crash. An unauthenticated attacker can trigger this remotely via malformed TLS Application Data records. |
Affected by 0 other vulnerabilities. |
|
VCID-cxhw-3w24-dkes
Aliases: CVE-2025-11932 |
The server previously verified the TLS 1.3 PSK binder using a non-constant time method which could potentially leak information about the PSK binder |
Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-dpu2-4w42-kygw
Aliases: CVE-2024-1544 |
Generating the ECDSA nonce k samples a random number r and then truncates this randomness with a modular reduction mod n where n is the order of the elliptic curve. Meaning k = r mod n. The division used during the reduction estimates a factor q_e by dividing the upper two digits (a digit having e.g. a size of 8 byte) of r by the upper digit of n and then decrements q_e in a loop until it has the correct size. Observing the number of times q_e is decremented through a control-flow revealing side-channel reveals a bias in the most significant bits of k. Depending on the curve this is either a negligible bias or a significant bias large enough to reconstruct k with lattice reduction methods. For SECP160R1, e.g., we find a bias of 15 bits. |
Affected by 46 other vulnerabilities. |
|
VCID-euma-vgqx-sbau
Aliases: CVE-2024-2881 |
Fault Injection vulnerability in wc_ed25519_sign_msg function in wolfssl/wolfcrypt/src/ed25519.c in WolfSSL wolfssl5.6.6 on Linux/Windows allows remote attacker co-resides in the same system with a victim process to disclose information and escalate privileges via Rowhammer fault injection to the ed25519_key structure. |
Affected by 46 other vulnerabilities. |
|
VCID-f4gq-hqcp-dqe2
Aliases: CVE-2025-7394 |
In the OpenSSL compatibility layer implementation, the function RAND_poll() was not behaving as expected and leading to the potential for predictable values returned from RAND_bytes() after fork() is called. This can lead to weak or predictable random numbers generated in applications that are both using RAND_bytes() and doing fork() operations. This only affects applications explicitly calling RAND_bytes() after fork() and does not affect any internal TLS operations. Although RAND_bytes() documentation in OpenSSL calls out not being safe for use with fork() without first calling RAND_poll(), an additional code change was also made in wolfSSL to make RAND_bytes() behave similar to OpenSSL after a fork() call without calling RAND_poll(). Now the Hash-DRBG used gets reseeded after detecting running in a new process. If making use of RAND_bytes() and calling fork() we recommend updating to the latest version of wolfSSL. Thanks to Per Allansson from Appgate for the report. |
Affected by 57 other vulnerabilities. |
|
VCID-f57c-kamk-3bct
Aliases: CVE-2026-4159 |
1-byte OOB heap read in wc_PKCS7_DecodeEnvelopedData via zero-length encrypted content. A vulnerability existed in wolfSSL 5.8.4 and earlier, where a 1-byte out-of-bounds heap read in wc_PKCS7_DecodeEnvelopedData could be triggered by a crafted CMS EnvelopedData message with zero-length encrypted content. Note that PKCS7 support is disabled by default. |
Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-f5kd-yqz2-nkcb
Aliases: CVE-2026-5187 |
Two potential heap out-of-bounds write locations existed in DecodeObjectId() in wolfcrypt/src/asn.c. First, a bounds check only validates one available slot before writing two OID arc values (out[0] and out[1]), enabling a 2-byte out-of-bounds write when outSz equals 1. Second, multiple callers pass sizeof(decOid) (64 bytes on 64-bit platforms) instead of the element count MAX_OID_SZ (32), causing the function to accept crafted OIDs with 33 or more arcs that write past the end of the allocated buffer. |
Affected by 0 other vulnerabilities. |
|
VCID-fmtp-x6y7-83g1
Aliases: CVE-2026-3548 |
Two buffer overflow vulnerabilities existed in the wolfSSL CRL parser when parsing CRL numbers: a heap-based buffer overflow could occur when improperly storing the CRL number as a hexadecimal string, and a stack-based overflow for sufficiently sized CRL numbers. With appropriately crafted CRLs, either of these out of bound writes could be triggered. Note this only affects builds that specifically enable CRL support, and the user would need to load a CRL from an untrusted source. |
Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-g5u9-khw6-4kgn
Aliases: CVE-2026-5477 |
An integer overflow existed in the wolfCrypt CMAC implementation, that could be exploited to forge CMAC tags. The function wc_CmacUpdate used the guard `if (cmac->totalSz != 0)` to skip XOR-chaining on the first block (where digest is all-zeros and the XOR is a no-op). However, totalSz is word32 and wraps to zero after 2^28 block flushes (4 GiB), causing the guard to erroneously discard the live CBC-MAC chain state. Any two messages sharing a common suffix beyond the 4 GiB mark then produce identical CMAC tags, enabling a zero-work prefix-substitution forgery. The fix removes the guard, making the XOR unconditional; the no-op property on the first block is preserved because digest is zero-initialized by wc_InitCmac_ex. |
Affected by 0 other vulnerabilities. |
|
VCID-gcfd-w8je-kqfm
Aliases: CVE-2025-11935 |
With TLS 1.3 pre-shared key (PSK) a malicious or faulty server could ignore the request for PFS (perfect forward secrecy) and the client would continue on with the connection using PSK without PFS. This happened when a server responded to a ClientHello containing psk_dhe_ke without a key_share extension. The re-use of an authenticated PSK connection that on the clients side unexpectedly did not have PFS, reduces the security of the connection. |
Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-gdur-h588-vbb6
Aliases: CVE-2025-11934 |
Improper input validation in the TLS 1.3 CertificateVerify signature algorithm negotiation in wolfSSL 5.8.2 and earlier on multiple platforms allows for downgrading the signature algorithm used. For example when a client sends ECDSA P521 as the supported signature algorithm the server previously could respond as ECDSA P256 being the accepted signature algorithm and the connection would continue with using ECDSA P256, if the client supports ECDSA P256. |
Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-gmdj-a1ys-tqc2
Aliases: CVE-2026-3849 |
Stack Buffer Overflow in wc_HpkeLabeledExtract via Oversized ECH Config. A vulnerability existed in wolfSSL 5.8.4 ECH (Encrypted Client Hello) support, where a maliciously crafted ECH config could cause a stack buffer overflow on the client side, leading to potential remote execution and client program crash. This could be exploited by a malicious TLS server supporting ECH. Note that ECH is off by default, and is only enabled with enable-ech. |
Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-gtdh-mytb-t3fh
Aliases: CVE-2026-5500 |
wolfSSL's wc_PKCS7_DecodeAuthEnvelopedData() does not properly sanitize the AES-GCM authentication tag length received and has no lower bounds check. A man-in-the-middle can therefore truncate the mac field from 16 bytes to 1 byte, reducing the tag check from 2⁻¹²⁸ to 2⁻⁸. |
Affected by 0 other vulnerabilities. |
|
VCID-h6na-nxxq-5yg9
Aliases: CVE-2026-0819 |
A stack buffer overflow vulnerability exists in wolfSSL's PKCS7 SignedData encoding functionality. In wc_PKCS7_BuildSignedAttributes(), when adding custom signed attributes, the code passes an incorrect capacity value (esd->signedAttribsCount) to EncodeAttributes() instead of the remaining available space in the fixed-size signedAttribs[7] array. When an application sets pkcs7->signedAttribsSz to a value greater than MAX_SIGNED_ATTRIBS_SZ (default 7) minus the number of default attributes already added, EncodeAttributes() writes beyond the array bounds, causing stack memory corruption. In WOLFSSL_SMALL_STACK builds, this becomes heap corruption. Exploitation requires an application that allows untrusted input to control the signedAttribs array size when calling wc_PKCS7_EncodeSignedData() or related signing functions. |
Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-hdbf-118z-2yec
Aliases: CVE-2026-5466 |
wolfSSL's ECCSI signature verifier `wc_VerifyEccsiHash` decodes the `r` and `s` scalars from the signature blob via `mp_read_unsigned_bin` with no check that they lie in `[1, q-1]`. A crafted forged signature could verify against any message for any identity, using only publicly-known constants. |
Affected by 0 other vulnerabilities. |
|
VCID-hk8r-kk4v-1fa7
Aliases: CVE-2025-12888 |
Vulnerability in X25519 constant-time cryptographic implementations due to timing side channels introduced by compiler optimizations and CPU architecture limitations, specifically with the Xtensa-based ESP32 chips. If targeting Xtensa it is recommended to use the low memory implementations of X25519, which is now turned on as the default for Xtensa. |
Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-jc3b-m4ud-n7fw
Aliases: CVE-2026-5479 |
In wolfSSL's EVP layer, the ChaCha20-Poly1305 AEAD decryption path in wolfSSL_EVP_CipherFinal (and related EVP cipher finalization functions) fails to verify the authentication tag before returning plaintext to the caller. When an application uses the EVP API to perform ChaCha20-Poly1305 decryption, the implementation computes or accepts the tag but does not compare it against the expected value. |
Affected by 0 other vulnerabilities. |
|
VCID-jvnf-vh29-ufdh
Aliases: CVE-2026-5460 |
A heap use-after-free exists in wolfSSL's TLS 1.3 post-quantum cryptography (PQC) hybrid KeyShare processing. In the error handling path of TLSX_KeyShare_ProcessPqcHybridClient() in src/tls.c, the inner function TLSX_KeyShare_ProcessPqcClient_ex() frees a KyberKey object upon encountering an error. The caller then invokes TLSX_KeyShare_FreeAll(), which attempts to call ForceZero() on the already-freed KyberKey, resulting in writes of zero bytes over freed heap memory. |
Affected by 0 other vulnerabilities. |
|
VCID-jxf4-y1au-5bhw
Aliases: CVE-2026-4395 |
Heap-based buffer overflow in the KCAPI ECC code path of wc_ecc_import_x963_ex() in wolfSSL wolfcrypt allows a remote attacker to write attacker-controlled data past the bounds of the pubkey_raw buffer via a crafted oversized EC public key point. The WOLFSSL_KCAPI_ECC code path copies the input to key->pubkey_raw (132 bytes) using XMEMCPY without a bounds check, unlike the ATECC code path which includes a length validation. This can be triggered during TLS key exchange when a malicious peer sends a crafted ECPoint in ServerKeyExchange. |
Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-khur-3ax7-9fhb
Aliases: CVE-2025-11931 |
Integer Underflow Leads to Out-of-Bounds Access in XChaCha20-Poly1305 Decrypt. This issue is hit specifically with a call to the function wc_XChaCha20Poly1305_Decrypt() which is not used with TLS connections, only from direct calls from an application. |
Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-n64w-nq6a-m7bv
Aliases: CVE-2026-3580 |
In wolfSSL 5.8.4, constant-time masking logic in sp_256_get_entry_256_9 is optimized into conditional branches (bnez) by GCC when targeting RISC-V RV32I with -O3. This transformation breaks the side-channel resistance of ECC scalar multiplication, potentially allowing a local attacker to recover secret keys via timing analysis. |
Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-n6uz-fe7m-uqhk
Aliases: CVE-2026-5503 |
In TLSX_EchChangeSNI, the ctx->extensions branch set extensions unconditionally even when TLSX_Find returned NULL. This caused TLSX_UseSNI to attach the attacker-controlled publicName to the shared WOLFSSL_CTX when no inner SNI was configured. TLSX_EchRestoreSNI then failed to clean it up because its removal was gated on serverNameX != NULL. The inner ClientHello was sized before the pollution but written after it, causing TLSX_SNI_Write to memcpy 255 bytes past the allocation boundary. |
Affected by 0 other vulnerabilities. |
|
VCID-njbj-f91t-b7f4
Aliases: CVE-2025-11933 |
Improper Input Validation in the TLS 1.3 CKS extension parsing in wolfSSL 5.8.2 and earlier on multiple platforms allows a remote unauthenticated attacker to potentially cause a denial-of-service via a crafted ClientHello message with duplicate CKS extensions. |
Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-nqhj-d7uw-43hd
Aliases: CVE-2026-5264 |
Heap buffer overflow in DTLS 1.3 ACK message processing. A remote attacker can send a crafted DTLS 1.3 ACK message that triggers a heap buffer overflow. |
Affected by 0 other vulnerabilities. |
|
VCID-srmp-3tvp-9uhv
Aliases: CVE-2026-5295 |
A stack buffer overflow exists in wolfSSL's PKCS7 implementation in the wc_PKCS7_DecryptOri() function in wolfcrypt/src/pkcs7.c. When processing a CMS EnvelopedData message containing an OtherRecipientInfo (ORI) recipient, the function copies an ASN.1-parsed OID into a fixed 32-byte stack buffer (oriOID[MAX_OID_SZ]) via XMEMCPY without first validating that the parsed OID length does not exceed MAX_OID_SZ. A crafted CMS EnvelopedData message with an ORI recipient containing an OID longer than 32 bytes triggers a stack buffer overflow. Exploitation requires the library to be built with --enable-pkcs7 (disabled by default) and the application to have registered an ORI decrypt callback via wc_PKCS7_SetOriDecryptCb(). |
Affected by 0 other vulnerabilities. |
|
VCID-su8x-6n42-n3d5
Aliases: CVE-2024-0901 |
Remotely executed SEGV and out of bounds read allows malicious packet sender to crash or cause an out of bounds read via sending a malformed packet with the correct length. |
Affected by 46 other vulnerabilities. |
|
VCID-u24a-2khf-uyba
Aliases: CVE-2023-6937 |
wolfSSL prior to 5.6.6 did not check that messages in one (D)TLS record do not span key boundaries. As a result, it was possible to combine (D)TLS messages using different keys into one (D)TLS record. The most extreme edge case is that, in (D)TLS 1.3, it was possible that an unencrypted (D)TLS 1.3 record from the server containing first a ServerHello message and then the rest of the first server flight would be accepted by a wolfSSL client. In (D)TLS 1.3 the handshake is encrypted after the ServerHello but a wolfSSL client would accept an unencrypted flight from the server. This does not compromise key negotiation and authentication so it is assigned a low severity rating. |
Affected by 46 other vulnerabilities. |
|
VCID-u55w-unmd-97cm
Aliases: CVE-2026-5447 |
wolfSSL: wolfSSL: Heap buffer overflow via AuthorityKeyIdentifier size confusion |
Affected by 0 other vulnerabilities. |
|
VCID-udcq-enxt-wyf1
Aliases: CVE-2026-5448 |
X.509 date buffer overflow in wolfSSL_X509_notAfter / wolfSSL_X509_notBefore. A buffer overflow may occur when parsing date fields from a crafted X.509 certificate via the compatibility layer API. This is only triggered when calling these two APIs directly from an application, and does not affect TLS or certificate verify operations in wolfSSL. |
Affected by 0 other vulnerabilities. |
|
VCID-ugd8-9xzt-xbdz
Aliases: CVE-2026-5501 |
wolfSSL_X509_verify_cert in the OpenSSL compatibility layer accepts a certificate chain in which the leaf's signature is not checked, if the attacker supplies an untrusted intermediate with Basic Constraints `CA:FALSE` that is legitimately signed by a trusted root. An attacker who obtains any leaf certificate from a trusted CA (e.g. a free DV cert from Let's Encrypt) can forge a certificate for any subject name with any public key and arbitrary signature bytes, and the function returns `WOLFSSL_SUCCESS` / `X509_V_OK`. The native wolfSSL TLS handshake path (`ProcessPeerCerts`) is not susceptible and the issue is limited to applications using the OpenSSL compatibility API directly, which would include integrations of wolfSSL into nginx and haproxy. |
Affected by 0 other vulnerabilities. |
|
VCID-uvht-9bt9-hfbb
Aliases: CVE-2026-3230 |
Missing required cryptographic step in the TLS 1.3 client HelloRetryRequest handshake logic in wolfSSL could lead to a compromise in the confidentiality of TLS-protected communications via a crafted HelloRetryRequest followed by a ServerHello message that omits the required key_share extension, resulting in derivation of predictable traffic secrets from (EC)DHE shared secret. This issue does not affect the client's authentication of the server during TLS handshakes. |
Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-v3m6-zajw-bfhb
Aliases: CVE-2026-3229 |
An integer overflow vulnerability existed in the static function wolfssl_add_to_chain, that caused heap corruption when certificate data was written out of bounds of an insufficiently sized certificate buffer. wolfssl_add_to_chain is called by these API: wolfSSL_CTX_add_extra_chain_cert, wolfSSL_CTX_add1_chain_cert, wolfSSL_add0_chain_cert. These API are enabled for 3rd party compatibility features: enable-opensslall, enable-opensslextra, enable-lighty, enable-stunnel, enable-nginx, enable-haproxy. This issue is not remotely exploitable, and would require that the application context loading certificates is compromised. |
Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-vugd-2jfz-23b5
Aliases: CVE-2026-5446 |
In wolfSSL, ARIA-GCM cipher suites used in TLS 1.2 and DTLS 1.2 reuse an identical 12-byte GCM nonce for every application-data record. Because wc_AriaEncrypt is stateless and passes the caller-supplied IV verbatim to the MagicCrypto SDK with no internal counter, and because the explicit IV is zero-initialized at session setup and never incremented in non-FIPS builds. This vulnerability affects wolfSSL builds configured with --enable-aria and the proprietary MagicCrypto SDK (a non-default, opt-in configuration required for Korean regulatory deployments). AES-GCM is not affected because wc_AesGcmEncrypt_ex maintains an internal invocation counter independently of the call-site guard. |
Affected by 0 other vulnerabilities. |
|
VCID-x3uy-7crx-2kae
Aliases: CVE-2026-5263 |
URI nameConstraints from constrained intermediate CAs are parsed but not enforced during certificate chain verification in wolfcrypt/src/asn.c. A compromised or malicious sub-CA could issue leaf certificates with URI SAN entries that violate the nameConstraints of the issuing CA, and wolfSSL would accept them as valid. |
Affected by 0 other vulnerabilities. |
|
VCID-xfgd-4hs3-vygk
Aliases: CVE-2024-5288 |
An issue was discovered in wolfSSL before 5.7.0. A safe-error attack via Rowhammer, namely FAULT+PROBE, leads to ECDSA key disclosure. When WOLFSSL_CHECK_SIG_FAULTS is used in signing operations with private ECC keys, such as in server-side TLS connections, the connection is halted if any fault occurs. The success rate in a certain amount of connection requests can be processed via an advanced technique for ECDSA key recovery. |
Affected by 46 other vulnerabilities. |
|
VCID-xuyn-pjpb-g7du
Aliases: CVE-2026-2646 |
A heap-buffer-overflow vulnerability exists in wolfSSL's wolfSSL_d2i_SSL_SESSION() function. When deserializing session data with SESSION_CERTS enabled, certificate and session id lengths are read from an untrusted input without bounds validation, allowing an attacker to overflow fixed-size buffers and corrupt heap memory. A maliciously crafted session would need to be loaded from an external source to trigger this vulnerability. Internal sessions were not vulnerable. |
Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-xxkx-w5pc-5uap
Aliases: CVE-2025-11936 |
Improper input validation in the TLS 1.3 KeyShareEntry parsing in wolfSSL v5.8.2 on multiple platforms allows a remote unauthenticated attacker to cause a denial-of-service by sending a crafted ClientHello message containing duplicate KeyShareEntry values for the same supported group, leading to excessive CPU and memory consumption during ClientHello processing. |
Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-zhf4-y8v8-gubn
Aliases: CVE-2023-6935 |
wolfSSL SP Math All RSA implementation is vulnerable to the Marvin Attack, new variation of a timing Bleichenbacher style attack, when built with the following options to configure: --enable-all CFLAGS="-DWOLFSSL_STATIC_RSA" The define “WOLFSSL_STATIC_RSA” enables static RSA cipher suites, which is not recommended, and has been disabled by default since wolfSSL 3.6.6. Therefore the default build since 3.6.6, even with "--enable-all", is not vulnerable to the Marvin Attack. The vulnerability is specific to static RSA cipher suites, and expected to be padding-independent. The vulnerability allows an attacker to decrypt ciphertexts and forge signatures after probing with a large number of test observations. However the server’s private key is not exposed. |
Affected by 46 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||