Wolfssl
by WolfSSL
Source repositories
CVEs (116)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-12889 | 0.00 | — | 0.00 | Nov 21, 2025 | With TLS 1.2 connections a client can use any digest, specifically a weaker digest that is supported, rather than those in the CertificateRequest. | |||
| CVE-2025-11932 | 0.00 | — | 0.00 | Nov 21, 2025 | The server previously verified the TLS 1.3 PSK binder using a non-constant time method which could potentially leak information about the PSK binder | |||
| CVE-2025-11931 | 0.00 | — | 0.00 | Nov 21, 2025 | Integer Underflow Leads to Out-of-Bounds Access in XChaCha20-Poly1305 Decrypt. This issue is hit specifically with a call to the function wc_XChaCha20Poly1305_Decrypt() which is not used with TLS connections, only from direct calls from an application. | |||
| CVE-2025-12888 | 0.00 | — | 0.00 | Nov 21, 2025 | Vulnerability in X25519 constant-time cryptographic implementations due to timing side channels introduced by compiler optimizations and CPU architecture limitations, specifically with the Xtensa-based ESP32 chips. If targeting Xtensa it is recommended to use the low memory… | |||
| CVE-2025-11936 | 0.00 | — | 0.00 | Nov 21, 2025 | Improper input validation in the TLS 1.3 KeyShareEntry parsing in wolfSSL v5.8.2 on multiple platforms allows a remote unauthenticated attacker to cause a denial-of-service by sending a crafted ClientHello message containing duplicate KeyShareEntry values for the same supported… | |||
| CVE-2025-11933 | 0.00 | — | 0.00 | Nov 21, 2025 | Improper Input Validation in the TLS 1.3 CKS extension parsing in wolfSSL 5.8.2 and earlier on multiple platforms allows a remote unauthenticated attacker to potentially cause a denial-of-service via a crafted ClientHello message with duplicate CKS extensions. | |||
| CVE-2025-11934 | 0.00 | — | 0.00 | Nov 21, 2025 | Improper input validation in the TLS 1.3 CertificateVerify signature algorithm negotiation in wolfSSL 5.8.2 and earlier on multiple platforms allows for downgrading the signature algorithm used. For example when a client sends ECDSA P521 as the supported signature algorithm the… | |||
| CVE-2025-11935 | 0.00 | — | 0.00 | Nov 21, 2025 | With TLS 1.3 pre-shared key (PSK) a malicious or faulty server could ignore the request for PFS (perfect forward secrecy) and the client would continue on with the connection using PSK without PFS. This happened when a server responded to a ClientHello containing psk_dhe_ke… | |||
| CVE-2025-7396 | 0.00 | — | 0.00 | Jul 18, 2025 | In wolfSSL release 5.8.2 blinding support is turned on by default for Curve25519 in applicable builds. The blinding configure option is only for the base C implementation of Curve25519. It is not needed, or available with; ARM assembly builds, Intel assembly builds, and the… | |||
| CVE-2025-7394 | 0.00 | — | 0.00 | Jul 18, 2025 | In the OpenSSL compatibility layer implementation, the function RAND_poll() was not behaving as expected and leading to the potential for predictable values returned from RAND_bytes() after fork() is called. This can lead to weak or predictable random numbers generated in… | |||
| CVE-2025-5025 | 0.00 | — | 0.00 | May 28, 2025 | libcurl supports *pinning* of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that… | |||
| CVE-2024-2881 | 0.00 | — | 0.00 | Aug 29, 2024 | Fault Injection vulnerability in wc_ed25519_sign_msg function in wolfssl/wolfcrypt/src/ed25519.c in WolfSSL wolfssl5.6.6 on Linux/Windows allows remote attacker co-resides in the same system with a victim process to disclose information and escalate privileges via Rowhammer… | |||
| CVE-2024-1545 | 0.00 | — | 0.01 | Aug 29, 2024 | Fault Injection vulnerability in RsaPrivateDecryption function in wolfssl/wolfcrypt/src/rsa.c in WolfSSL wolfssl5.6.6 on Linux/Windows allows remote attacker co-resides in the same system with a victim process to disclose information and escalate privileges via Rowhammer fault… | |||
| CVE-2024-1543 | 0.00 | — | 0.00 | Aug 29, 2024 | The side-channel protected T-Table implementation in wolfSSL up to version 5.6.5 protects against a side-channel attacker with cache-line resolution. In a controlled environment such as Intel SGX, an attacker can gain a per instruction sub-cache-line resolution allowing them to… | |||
| CVE-2024-1544 | 0.00 | — | 0.00 | Aug 27, 2024 | Generating the ECDSA nonce k samples a random number r and then truncates this randomness with a modular reduction mod n where n is the order of the elliptic curve. Meaning k = r mod n. The division used during the reduction estimates a factor q_e by dividing the upper two … | |||
| CVE-2024-5814 | 0.00 | — | 0.00 | Aug 27, 2024 | A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and achieve a successful connection. This is because, aside from the extensions, the client was skipping fully parsing the server hello. … | |||
| CVE-2024-5288 | 0.00 | — | 0.00 | Aug 27, 2024 | An issue was discovered in wolfSSL before 5.7.0. A safe-error attack via Rowhammer, namely FAULT+PROBE, leads to ECDSA key disclosure. When WOLFSSL_CHECK_SIG_FAULTS is used in signing operations with private ECC keys, such as in server-side TLS connections, the connection is… | |||
| CVE-2024-5991 | 0.00 | — | 0.01 | Aug 27, 2024 | In function MatchDomainName(), input param str is treated as a NULL terminated string despite being user provided and unchecked. Specifically, the function X509_check_host() takes in a pointer and length to check against, with no requirements that it be NULL terminated. If a… | |||
| CVE-2024-0901 | 0.00 | — | 0.01 | Mar 25, 2024 | Remotely executed SEGV and out of bounds read allows malicious packet sender to crash or cause an out of bounds read via sending a malformed packet with the correct length. | |||
| CVE-2023-6936 | 0.00 | — | 0.01 | Feb 20, 2024 | In wolfSSL prior to 5.6.6, if callback functions are enabled (via the WOLFSSL_CALLBACKS flag), then a malicious TLS client or network attacker can trigger a buffer over-read on the heap of 5 bytes (WOLFSSL_CALLBACKS is only intended for debugging). |
- CVE-2025-12889Nov 21, 2025risk 0.00cvss —epss 0.00
With TLS 1.2 connections a client can use any digest, specifically a weaker digest that is supported, rather than those in the CertificateRequest.
- CVE-2025-11932Nov 21, 2025risk 0.00cvss —epss 0.00
The server previously verified the TLS 1.3 PSK binder using a non-constant time method which could potentially leak information about the PSK binder
- CVE-2025-11931Nov 21, 2025risk 0.00cvss —epss 0.00
Integer Underflow Leads to Out-of-Bounds Access in XChaCha20-Poly1305 Decrypt. This issue is hit specifically with a call to the function wc_XChaCha20Poly1305_Decrypt() which is not used with TLS connections, only from direct calls from an application.
- CVE-2025-12888Nov 21, 2025risk 0.00cvss —epss 0.00
Vulnerability in X25519 constant-time cryptographic implementations due to timing side channels introduced by compiler optimizations and CPU architecture limitations, specifically with the Xtensa-based ESP32 chips. If targeting Xtensa it is recommended to use the low memory…
- CVE-2025-11936Nov 21, 2025risk 0.00cvss —epss 0.00
Improper input validation in the TLS 1.3 KeyShareEntry parsing in wolfSSL v5.8.2 on multiple platforms allows a remote unauthenticated attacker to cause a denial-of-service by sending a crafted ClientHello message containing duplicate KeyShareEntry values for the same supported…
- CVE-2025-11933Nov 21, 2025risk 0.00cvss —epss 0.00
Improper Input Validation in the TLS 1.3 CKS extension parsing in wolfSSL 5.8.2 and earlier on multiple platforms allows a remote unauthenticated attacker to potentially cause a denial-of-service via a crafted ClientHello message with duplicate CKS extensions.
- CVE-2025-11934Nov 21, 2025risk 0.00cvss —epss 0.00
Improper input validation in the TLS 1.3 CertificateVerify signature algorithm negotiation in wolfSSL 5.8.2 and earlier on multiple platforms allows for downgrading the signature algorithm used. For example when a client sends ECDSA P521 as the supported signature algorithm the…
- CVE-2025-11935Nov 21, 2025risk 0.00cvss —epss 0.00
With TLS 1.3 pre-shared key (PSK) a malicious or faulty server could ignore the request for PFS (perfect forward secrecy) and the client would continue on with the connection using PSK without PFS. This happened when a server responded to a ClientHello containing psk_dhe_ke…
- CVE-2025-7396Jul 18, 2025risk 0.00cvss —epss 0.00
In wolfSSL release 5.8.2 blinding support is turned on by default for Curve25519 in applicable builds. The blinding configure option is only for the base C implementation of Curve25519. It is not needed, or available with; ARM assembly builds, Intel assembly builds, and the…
- CVE-2025-7394Jul 18, 2025risk 0.00cvss —epss 0.00
In the OpenSSL compatibility layer implementation, the function RAND_poll() was not behaving as expected and leading to the potential for predictable values returned from RAND_bytes() after fork() is called. This can lead to weak or predictable random numbers generated in…
- CVE-2025-5025May 28, 2025risk 0.00cvss —epss 0.00
libcurl supports *pinning* of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that…
- CVE-2024-2881Aug 29, 2024risk 0.00cvss —epss 0.00
Fault Injection vulnerability in wc_ed25519_sign_msg function in wolfssl/wolfcrypt/src/ed25519.c in WolfSSL wolfssl5.6.6 on Linux/Windows allows remote attacker co-resides in the same system with a victim process to disclose information and escalate privileges via Rowhammer…
- CVE-2024-1545Aug 29, 2024risk 0.00cvss —epss 0.01
Fault Injection vulnerability in RsaPrivateDecryption function in wolfssl/wolfcrypt/src/rsa.c in WolfSSL wolfssl5.6.6 on Linux/Windows allows remote attacker co-resides in the same system with a victim process to disclose information and escalate privileges via Rowhammer fault…
- CVE-2024-1543Aug 29, 2024risk 0.00cvss —epss 0.00
The side-channel protected T-Table implementation in wolfSSL up to version 5.6.5 protects against a side-channel attacker with cache-line resolution. In a controlled environment such as Intel SGX, an attacker can gain a per instruction sub-cache-line resolution allowing them to…
- CVE-2024-1544Aug 27, 2024risk 0.00cvss —epss 0.00
Generating the ECDSA nonce k samples a random number r and then truncates this randomness with a modular reduction mod n where n is the order of the elliptic curve. Meaning k = r mod n. The division used during the reduction estimates a factor q_e by dividing the upper two …
- CVE-2024-5814Aug 27, 2024risk 0.00cvss —epss 0.00
A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and achieve a successful connection. This is because, aside from the extensions, the client was skipping fully parsing the server hello. …
- CVE-2024-5288Aug 27, 2024risk 0.00cvss —epss 0.00
An issue was discovered in wolfSSL before 5.7.0. A safe-error attack via Rowhammer, namely FAULT+PROBE, leads to ECDSA key disclosure. When WOLFSSL_CHECK_SIG_FAULTS is used in signing operations with private ECC keys, such as in server-side TLS connections, the connection is…
- CVE-2024-5991Aug 27, 2024risk 0.00cvss —epss 0.01
In function MatchDomainName(), input param str is treated as a NULL terminated string despite being user provided and unchecked. Specifically, the function X509_check_host() takes in a pointer and length to check against, with no requirements that it be NULL terminated. If a…
- CVE-2024-0901Mar 25, 2024risk 0.00cvss —epss 0.01
Remotely executed SEGV and out of bounds read allows malicious packet sender to crash or cause an out of bounds read via sending a malformed packet with the correct length.
- CVE-2023-6936Feb 20, 2024risk 0.00cvss —epss 0.01
In wolfSSL prior to 5.6.6, if callback functions are enabled (via the WOLFSSL_CALLBACKS flag), then a malicious TLS client or network attacker can trigger a buffer over-read on the heap of 5 bytes (WOLFSSL_CALLBACKS is only intended for debugging).
Page 4 of 6