VYPR
Vendor

WolfSSL

wolfSSL is a small, portable, embedded SSL/TLS library targeted for use by embedded systems developers. It is an open source implementation of TLS written in the C programming language. It includes SSL/TLS client libraries and an SSL/TLS server implementation as well as support for multiple APIs, including those defined by SSL and TLS. wolfSSL also includes an OpenSSL compatibility interface with the most commonly used OpenSSL functions.

Founded 2004
Products
9
CVEs
134
Across products
140
Status
Private

Products

9

Recent CVEs

134
View all 134 CVEs →
  • CVE-2017-2800CriMay 24, 2017
    risk 0.67cvss 9.8epss 0.09

    A specially crafted x509 certificate can cause a single out of bounds byte overwrite in wolfSSL through 3.10.2 resulting in potential certificate validation vulnerabilities, denial of service and possible remote code execution. In order to trigger this vulnerability, the…

  • CVE-2025-7395CriJul 18, 2025
    risk 0.60cvss epss 0.00

    A certificate verification error in wolfSSL when building with the WOLFSSL_SYS_CA_CERTS and WOLFSSL_APPLE_NATIVE_CERT_VALIDATION options results in the wolfSSL client failing to properly verify the server certificate's domain name, allowing any certificate issued by a trusted…

  • CVE-2026-5264CriApr 9, 2026
    risk 0.57cvss 9.8epss 0.00

    Heap buffer overflow in DTLS 1.3 ACK message processing. A remote attacker can send a crafted DTLS 1.3 ACK message that triggers a heap buffer overflow.

  • CVE-2026-5187CriApr 9, 2026
    risk 0.57cvss 9.8epss 0.00

    Two potential heap out-of-bounds write locations existed in DecodeObjectId() in wolfcrypt/src/asn.c. First, a bounds check only validates one available slot before writing two OID arc values (out[0] and out[1]), enabling a 2-byte out-of-bounds write when outSz equals 1. Second,…

  • CVE-2026-3548CriMar 19, 2026
    risk 0.57cvss 9.8epss 0.00

    Two buffer overflow vulnerabilities existed in the wolfSSL CRL parser when parsing CRL numbers: a heap-based buffer overflow could occur when improperly storing the CRL number as a hexadecimal string, and a stack-based overflow for sufficiently sized CRL numbers. With…

  • CVE-2017-13099HigDec 13, 2017
    risk 0.54cvss 7.5epss 0.25

    wolfSSL prior to version 3.12.2 provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable wolfSSL application. This vulnerability is referred to as "ROBOT."

  • CVE-2025-15346CriJan 8, 2026
    risk 0.53cvss epss 0.00

    A vulnerability in the handling of verify_mode = CERT_REQUIRED in the wolfssl Python package (wolfssl-py) causes client certificate requirements to not be fully enforced.  Because the WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT flag was not included, the behavior effectively matched…

  • CVE-2026-5393CriApr 10, 2026
    risk 0.52cvss 9.1epss 0.00

    Dual-Algorithm CertificateVerify out-of-bounds read. When processing a dual-algorithm CertificateVerify message, an out-of-bounds read can occur on crafted input. This can only occur when --enable-experimental and --enable-dual-alg-certs is used when building wolfSSL.

  • CVE-2026-5503CriApr 9, 2026
    risk 0.52cvss 9.1epss 0.00

    In TLSX_EchChangeSNI, the ctx->extensions branch set extensions unconditionally even when TLSX_Find returned NULL. This caused TLSX_UseSNI to attach the attacker-controlled publicName to the shared WOLFSSL_CTX when no inner SNI was configured. TLSX_EchRestoreSNI then failed to…

  • CVE-2026-5194CriApr 9, 2026
    risk 0.52cvss 9.1epss 0.00

    Missing hash/digest size and OID checks allow digests smaller than allowed when verifying ECDSA certificates, or smaller than is appropriate for the relevant key type, to be accepted by signature verification functions. This could lead to reduced security of ECDSA…

  • CVE-2017-8854HigMay 9, 2017
    risk 0.51cvss 7.8epss 0.02

    wolfSSL before 3.10.2 has an out-of-bounds memory access with loading crafted DH parameters, aka a buffer overflow triggered by a malformed temporary DH file.

  • CVE-2017-8855HigMay 9, 2017
    risk 0.49cvss 7.5epss 0.01

    wolfSSL before 3.11.0 does not prevent wc_DhAgree from accepting a malformed DH key.

  • CVE-2015-6925HigJan 22, 2016
    risk 0.49cvss 7.5epss 0.03

    wolfSSL (formerly CyaSSL) before 3.6.8 allows remote attackers to cause a denial of service (resource consumption or traffic amplification) via a crafted DTLS cookie in a ClientHello message.

  • CVE-2026-5501HigApr 10, 2026
    risk 0.46cvss 8.1epss 0.00

    wolfSSL_X509_verify_cert in the OpenSSL compatibility layer accepts a certificate chain in which the leaf's signature is not checked, if the attacker supplies an untrusted intermediate with Basic Constraints `CA:FALSE` that is legitimately signed by a trusted root. An attacker…

  • CVE-2026-5479HigApr 10, 2026
    risk 0.46cvss 8.1epss 0.00

    In wolfSSL's EVP layer, the ChaCha20-Poly1305 AEAD decryption path in wolfSSL_EVP_CipherFinal (and related EVP cipher finalization functions) fails to verify the authentication tag before returning plaintext to the caller. When an application uses the EVP API to perform…

  • CVE-2026-5466HigApr 10, 2026
    risk 0.46cvss 8.1epss 0.00

    wolfSSL's ECCSI signature verifier `wc_VerifyEccsiHash` decodes the `r` and `s` scalars from the signature blob via `mp_read_unsigned_bin` with no check that they lie in `[1, q-1]`. A crafted forged signature could verify against any message for any identity, using only…

  • CVE-2026-5188HigApr 10, 2026
    risk 0.46cvss 8.1epss 0.00

    An integer underflow issue exists in wolfSSL when parsing the Subject Alternative Name (SAN) extension of X.509 certificates. A malformed certificate can specify an entry length larger than the enclosing sequence, causing the internal length counter to wrap during parsing. This…

  • CVE-2026-2646HigMar 19, 2026
    risk 0.46cvss 8.1epss 0.00

    A heap-buffer-overflow vulnerability exists in wolfSSL's wolfSSL_d2i_SSL_SESSION() function. When deserializing session data with SESSION_CERTS enabled, certificate and session id lengths are read from an untrusted input without bounds validation, allowing an attacker to…

  • CVE-2026-5295HigApr 9, 2026
    risk 0.45cvss 8.0epss 0.00

    A stack buffer overflow exists in wolfSSL's PKCS7 implementation in the wc_PKCS7_DecryptOri() function in wolfcrypt/src/pkcs7.c. When processing a CMS EnvelopedData message containing an OtherRecipientInfo (ORI) recipient, the function copies an ASN.1-parsed OID into a fixed…

  • CVE-2026-5477HigApr 10, 2026
    risk 0.42cvss 7.5epss 0.00

    An integer overflow existed in the wolfCrypt CMAC implementation, that could be exploited to forge CMAC tags. The function wc_CmacUpdate used the guard `if (cmac->totalSz != 0)` to skip XOR-chaining on the first block (where digest is all-zeros and the XOR is a…