VYPR

Wolfssl

by WolfSSL

Source repositories

CVEs (116)

  • CVE-2026-4159LowMar 19, 2026
    risk 0.14cvss 3.3epss 0.00

    1-byte OOB heap read in wc_PKCS7_DecodeEnvelopedData via zero-length encrypted content. A vulnerability existed in wolfSSL 5.8.4 and earlier, where a 1-byte out-of-bounds heap read in wc_PKCS7_DecodeEnvelopedData could be triggered by a crafted CMS EnvelopedData message with…

  • CVE-2019-11873May 23, 2019
    risk 0.01cvss epss 0.09

    wolfSSL 4.0.0 has a Buffer Overflow in DoPreSharedKeys in tls13.c when a current identity size is greater than a client identity size. An attacker sends a crafted hello client packet over the network to a TLSv1.3 wolfSSL server. The length fields of the packet: record length,…

  • CVE-2026-7532Jun 26, 2026
    risk 0.00cvss epss 0.00

    iPAddress name constraints bypass when WOLFSSL_IP_ALT_NAME is not defined. IP address name constraints are not enforced in that configuration, allowing a certificate to bypass an issuing CA's IP address constraints.

  • CVE-2026-55962Jun 26, 2026
    risk 0.00cvss epss 0.00

    TLS 1.3 post-handshake authentication (PHA) issue where a server could accept a client's Finished message without the client having sent a Certificate and CertificateVerify. The post-handshake-auth exemption that allows an empty/absent peer certificate was only intended for the…

  • CVE-2026-6681Jun 26, 2026
    risk 0.00cvss epss 0.00

    The PKCS#7 decode path ignores the caller-supplied output buffer size (outputSz), allowing decoded content to be written past the bounds of the provided buffer. This affects wolfSSL 5.9.0 and earlier and was fixed in the 5.9.1 release.

  • CVE-2026-6679Jun 26, 2026
    risk 0.00cvss epss 0.00

    A heap buffer overflow could occur in the DTLS 1.3 ACK serialization path before the connecting peer is authenticated. The buffer overflow was due to an integer truncation when computing the length of the ACK record-number list, causing an undersized buffer to be allocated and…

  • CVE-2026-55964Jun 26, 2026
    risk 0.00cvss epss 0.00

    Chain intermediate CA:TRUE without keyCertSign accepted as a signing CA. Intermediate CA certificates are required to have the keyCertSign key usage when a Key Usage extension is present, but chain-supplied temporary CAs (WOLFSSL_TEMP_CA) added while building a certificate path…

  • CVE-2026-6678Jun 26, 2026
    risk 0.00cvss epss 0.00

    Integer underflow in wc_PKCS7_DecryptOri when handling crafted Other Recipient Info, leading to incorrect length handling during decryption.

  • CVE-2026-8720Jun 26, 2026
    risk 0.00cvss epss 0.00

    wc_Blake2bHmacFinal and wc_Blake2sHmacFinal discard the message when the key length exceeds the block size, producing a MAC that is independent of the input. When the supplied key is longer than the BLAKE2 block size the key-hashing branch reinitialized the running hash state,…

  • CVE-2026-55961Jun 26, 2026
    risk 0.00cvss epss 0.00

    wolfSSL_PKCS7_verify() returning success for a degenerate (certs-only) PKCS#7 object that contains no signer. Such an object has empty signerInfos, so the underlying signed-data verification succeeds without authenticating any content. The compatibility-layer verify path now…

  • CVE-2026-6091Jun 26, 2026
    risk 0.00cvss epss 0.00

    Partial-chain certificate verification may accept chains that terminate at a peer-supplied, untrusted intermediate certificate rather than a trusted anchor. An attacker could present a chain that ends at an intermediate they control and have it accepted as valid. This affects…

  • CVE-2026-6291Jun 26, 2026
    risk 0.00cvss epss 0.00

    Bleichenbacher padding oracle in PKCS#7 KTRI decryption. When decrypting PKCS#7 EnvelopedData using RSA PKCS#1 v1.5 key transport, wolfSSL returned distinguishable error codes depending on whether RSA padding validation failed versus whether the decrypted content was malformed.…

  • CVE-2026-3230Mar 19, 2026
    risk 0.00cvss epss 0.00

    Missing required cryptographic step in the TLS 1.3 client HelloRetryRequest handshake logic in wolfSSL could lead to a compromise in the confidentiality of TLS-protected communications via a crafted HelloRetryRequest followed by a ServerHello message that omits the required…

  • CVE-2026-4395Mar 19, 2026
    risk 0.00cvss epss 0.00

    Heap-based buffer overflow in the KCAPI ECC code path of wc_ecc_import_x963_ex() in wolfSSL wolfcrypt allows a remote attacker to write attacker-controlled data past the bounds of the pubkey_raw buffer via a crafted oversized EC public key point. The WOLFSSL_KCAPI_ECC code path…

  • CVE-2026-3849Mar 19, 2026
    risk 0.00cvss epss 0.00

    Stack Buffer Overflow in wc_HpkeLabeledExtract via Oversized ECH Config. A vulnerability existed in wolfSSL 5.8.4 ECH (Encrypted Client Hello) support, where a maliciously crafted ECH config could cause a stack buffer overflow on the client side, leading to potential remote…

  • CVE-2026-3547Mar 19, 2026
    risk 0.00cvss epss 0.00

    Out-of-bounds read in ALPN parsing due to incomplete validation. wolfSSL 5.8.4 and earlier contained an out-of-bounds read in ALPN handling when built with ALPN enabled (HAVE_ALPN / --enable-alpn). A crafted ALPN protocol list could trigger an out-of-bounds read, leading to a…

  • CVE-2026-3549Mar 19, 2026
    risk 0.00cvss epss 0.00

    Heap Overflow in TLS 1.3 ECH parsing. An integer underflow existed in ECH extension parsing logic when calculating a buffer length, which resulted in writing beyond the bounds of an allocated buffer. Note that in wolfSSL, ECH is off by default, and the ECH standard is still…

  • CVE-2026-3580Mar 19, 2026
    risk 0.00cvss epss 0.00

    In wolfSSL 5.8.4, constant-time masking logic in sp_256_get_entry_256_9 is optimized into conditional branches (bnez) by GCC when targeting RISC-V RV32I with -O3. This transformation breaks the side-channel resistance of ECC scalar multiplication, potentially allowing a local…

  • CVE-2026-3579Mar 19, 2026
    risk 0.00cvss epss 0.00

    wolfSSL 5.8.4 on RISC-V RV32I architectures lacks a constant-time software implementation for 64-bit multiplication. The compiler-inserted __muldi3 subroutine executes in variable time based on operand values. This affects multiple SP math functions (sp_256_mul_9, sp_256_sqr_9,…

  • CVE-2025-13912LowDec 11, 2025
    risk 0.00cvss epss 0.00

    Multiple constant-time implementations in wolfSSL before version 5.8.4 may be transformed into non-constant-time binary by LLVM optimizations, which can potentially result in observable timing discrepancies and lead to information disclosure through timing side-channel attacks.

Page 3 of 6