Unrated severityNVD Advisory· Published Mar 19, 2026· Updated Mar 25, 2026

Buffer Overflow in HPKE via Oversized ECH Config

CVE-2026-3849

Description

Stack Buffer Overflow in wc_HpkeLabeledExtract via Oversized ECH Config. A vulnerability existed in wolfSSL 5.8.4 ECH (Encrypted Client Hello) support, where a maliciously crafted ECH config could cause a stack buffer overflow on the client side, leading to potential remote execution and client program crash. This could be exploited by a malicious TLS server supporting ECH. Note that ECH is off by default, and is only enabled with enable-ech.

Affected products

WolfSSL/Wolfsslllm-fuzzy2 versions
=5.8.4+ 1 more
- (no CPE)range: =5.8.4
- (no CPE)range: v5.6.0-stable

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/wolfSSL/wolfssl/pull/9737mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000