VYPR

Vendor CVEs

WolfSSL

All CVEs

134 total · sorted by risk
  • CVE-2026-6678Jun 26, 2026
    risk 0.00cvss epss 0.00

    Integer underflow in wc_PKCS7_DecryptOri when handling crafted Other Recipient Info, leading to incorrect length handling during decryption.

  • CVE-2026-8720Jun 26, 2026
    risk 0.00cvss epss 0.00

    wc_Blake2bHmacFinal and wc_Blake2sHmacFinal discard the message when the key length exceeds the block size, producing a MAC that is independent of the input. When the supplied key is longer than the BLAKE2 block size the key-hashing branch reinitialized the running hash state,…

  • CVE-2026-55961Jun 26, 2026
    risk 0.00cvss epss 0.00

    wolfSSL_PKCS7_verify() returning success for a degenerate (certs-only) PKCS#7 object that contains no signer. Such an object has empty signerInfos, so the underlying signed-data verification succeeds without authenticating any content. The compatibility-layer verify path now…

  • CVE-2026-6091Jun 26, 2026
    risk 0.00cvss epss 0.00

    Partial-chain certificate verification may accept chains that terminate at a peer-supplied, untrusted intermediate certificate rather than a trusted anchor. An attacker could present a chain that ends at an intermediate they control and have it accepted as valid. This affects…

  • CVE-2026-6291Jun 26, 2026
    risk 0.00cvss epss 0.00

    Bleichenbacher padding oracle in PKCS#7 KTRI decryption. When decrypting PKCS#7 EnvelopedData using RSA PKCS#1 v1.5 key transport, wolfSSL returned distinguishable error codes depending on whether RSA padding validation failed versus whether the decrypted content was malformed.…

  • CVE-2026-3230Mar 19, 2026
    risk 0.00cvss epss 0.00

    Missing required cryptographic step in the TLS 1.3 client HelloRetryRequest handshake logic in wolfSSL could lead to a compromise in the confidentiality of TLS-protected communications via a crafted HelloRetryRequest followed by a ServerHello message that omits the required…

  • CVE-2026-4395Mar 19, 2026
    risk 0.00cvss epss 0.00

    Heap-based buffer overflow in the KCAPI ECC code path of wc_ecc_import_x963_ex() in wolfSSL wolfcrypt allows a remote attacker to write attacker-controlled data past the bounds of the pubkey_raw buffer via a crafted oversized EC public key point. The WOLFSSL_KCAPI_ECC code path…

  • CVE-2026-3849Mar 19, 2026
    risk 0.00cvss epss 0.00

    Stack Buffer Overflow in wc_HpkeLabeledExtract via Oversized ECH Config. A vulnerability existed in wolfSSL 5.8.4 ECH (Encrypted Client Hello) support, where a maliciously crafted ECH config could cause a stack buffer overflow on the client side, leading to potential remote…

  • CVE-2026-3547Mar 19, 2026
    risk 0.00cvss epss 0.00

    Out-of-bounds read in ALPN parsing due to incomplete validation. wolfSSL 5.8.4 and earlier contained an out-of-bounds read in ALPN handling when built with ALPN enabled (HAVE_ALPN / --enable-alpn). A crafted ALPN protocol list could trigger an out-of-bounds read, leading to a…

  • CVE-2026-3549Mar 19, 2026
    risk 0.00cvss epss 0.00

    Heap Overflow in TLS 1.3 ECH parsing. An integer underflow existed in ECH extension parsing logic when calculating a buffer length, which resulted in writing beyond the bounds of an allocated buffer. Note that in wolfSSL, ECH is off by default, and the ECH standard is still…

  • CVE-2026-3580Mar 19, 2026
    risk 0.00cvss epss 0.00

    In wolfSSL 5.8.4, constant-time masking logic in sp_256_get_entry_256_9 is optimized into conditional branches (bnez) by GCC when targeting RISC-V RV32I with -O3. This transformation breaks the side-channel resistance of ECC scalar multiplication, potentially allowing a local…

  • CVE-2026-3579Mar 19, 2026
    risk 0.00cvss epss 0.00

    wolfSSL 5.8.4 on RISC-V RV32I architectures lacks a constant-time software implementation for 64-bit multiplication. The compiler-inserted __muldi3 subroutine executes in variable time based on operand values. This affects multiple SP math functions (sp_256_mul_9, sp_256_sqr_9,…

  • CVE-2025-15382Jan 6, 2026
    risk 0.00cvss epss 0.00

    A heap buffer over-read vulnerability exists in the wolfSSH_CleanPath() function in wolfSSH. An authenticated remote attacker can trigger the issue via crafted SCP path input containing '/./' sequences, resulting in a heap over read by 1 byte.

  • CVE-2025-14942Jan 6, 2026
    risk 0.00cvss epss 0.00

    wolfSSH’s key exchange state machine can be manipulated to leak the client’s password in the clear, trick the client to send a bogus signature, or trick the client into skipping user authentication. This affects client applications with wolfSSH version 1.4.21 and earlier.…

  • CVE-2025-13912LowDec 11, 2025
    risk 0.00cvss epss 0.00

    Multiple constant-time implementations in wolfSSL before version 5.8.4 may be transformed into non-constant-time binary by LLVM optimizations, which can potentially result in observable timing discrepancies and lead to information disclosure through timing side-channel attacks.

  • CVE-2025-12889Nov 21, 2025
    risk 0.00cvss epss 0.00

    With TLS 1.2 connections a client can use any digest, specifically a weaker digest that is supported, rather than those in the CertificateRequest.

  • CVE-2025-11932Nov 21, 2025
    risk 0.00cvss epss 0.00

    The server previously verified the TLS 1.3 PSK binder using a non-constant time method which could potentially leak information about the PSK binder

  • CVE-2025-11931Nov 21, 2025
    risk 0.00cvss epss 0.00

    Integer Underflow Leads to Out-of-Bounds Access in XChaCha20-Poly1305 Decrypt. This issue is hit specifically with a call to the function wc_XChaCha20Poly1305_Decrypt() which is not used with TLS connections, only from direct calls from an application.

  • CVE-2025-12888Nov 21, 2025
    risk 0.00cvss epss 0.00

    Vulnerability in X25519 constant-time cryptographic implementations due to timing side channels introduced by compiler optimizations and CPU architecture limitations, specifically with the Xtensa-based ESP32 chips. If targeting Xtensa it is recommended to use the low memory…

  • CVE-2025-11936Nov 21, 2025
    risk 0.00cvss epss 0.00

    Improper input validation in the TLS 1.3 KeyShareEntry parsing in wolfSSL v5.8.2 on multiple platforms allows a remote unauthenticated attacker to cause a denial-of-service by sending a crafted ClientHello message containing duplicate KeyShareEntry values for the same supported…

  • CVE-2025-11933Nov 21, 2025
    risk 0.00cvss epss 0.00

    Improper Input Validation in the TLS 1.3 CKS extension parsing in wolfSSL 5.8.2 and earlier on multiple platforms allows a remote unauthenticated attacker to potentially cause a denial-of-service via a crafted ClientHello message with duplicate CKS extensions.

  • CVE-2025-11934Nov 21, 2025
    risk 0.00cvss epss 0.00

    Improper input validation in the TLS 1.3 CertificateVerify signature algorithm negotiation in wolfSSL 5.8.2 and earlier on multiple platforms allows for downgrading the signature algorithm used. For example when a client sends ECDSA P521 as the supported signature algorithm the…

  • CVE-2025-11935Nov 21, 2025
    risk 0.00cvss epss 0.00

    With TLS 1.3 pre-shared key (PSK) a malicious or faulty server could ignore the request for PFS (perfect forward secrecy) and the client would continue on with the connection using PSK without PFS. This happened when a server responded to a ClientHello containing psk_dhe_ke…

  • CVE-2025-11625Oct 21, 2025
    risk 0.00cvss epss 0.00

    Improper host authentication vulnerability in wolfSSH version 1.4.20 and earlier clients that allows authentication bypass and leaking of clients credentials.

  • CVE-2025-7396Jul 18, 2025
    risk 0.00cvss epss 0.00

    In wolfSSL release 5.8.2 blinding support is turned on by default for Curve25519 in applicable builds. The blinding configure option is only for the base C implementation of Curve25519. It is not needed, or available with; ARM assembly builds, Intel assembly builds, and the…

  • CVE-2025-7394Jul 18, 2025
    risk 0.00cvss epss 0.00

    In the OpenSSL compatibility layer implementation, the function RAND_poll() was not behaving as expected and leading to the potential for predictable values returned from RAND_bytes() after fork() is called. This can lead to weak or predictable random numbers generated in…

  • CVE-2025-5025May 28, 2025
    risk 0.00cvss epss 0.00

    libcurl supports *pinning* of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that…

  • CVE-2024-2881Aug 29, 2024
    risk 0.00cvss epss 0.00

    Fault Injection vulnerability in wc_ed25519_sign_msg function in wolfssl/wolfcrypt/src/ed25519.c in WolfSSL wolfssl5.6.6 on Linux/Windows allows remote attacker co-resides in the same system with a victim process to disclose information and escalate privileges via Rowhammer…

  • CVE-2024-1545Aug 29, 2024
    risk 0.00cvss epss 0.01

    Fault Injection vulnerability in RsaPrivateDecryption function in wolfssl/wolfcrypt/src/rsa.c in WolfSSL wolfssl5.6.6 on Linux/Windows allows remote attacker co-resides in the same system with a victim process to disclose information and escalate privileges via Rowhammer fault…

  • CVE-2024-1543Aug 29, 2024
    risk 0.00cvss epss 0.00

    The side-channel protected T-Table implementation in wolfSSL up to version 5.6.5 protects against a side-channel attacker with cache-line resolution. In a controlled environment such as Intel SGX, an attacker can gain a per instruction sub-cache-line resolution allowing them to…

  • CVE-2024-1544Aug 27, 2024
    risk 0.00cvss epss 0.00

    Generating the ECDSA nonce k samples a random number r and then truncates this randomness with a modular reduction mod n where n is the order of the elliptic curve. Meaning k = r mod n. The division used during the reduction estimates a factor q_e by dividing the upper two …

  • CVE-2024-5814Aug 27, 2024
    risk 0.00cvss epss 0.00

    A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and achieve a successful connection. This is because, aside from the extensions, the client was skipping fully parsing the server hello. …

  • CVE-2024-5288Aug 27, 2024
    risk 0.00cvss epss 0.00

    An issue was discovered in wolfSSL before 5.7.0. A safe-error attack via Rowhammer, namely FAULT+PROBE, leads to ECDSA key disclosure. When WOLFSSL_CHECK_SIG_FAULTS is used in signing operations with private ECC keys, such as in server-side TLS connections, the connection is…

  • CVE-2024-5991Aug 27, 2024
    risk 0.00cvss epss 0.01

    In function MatchDomainName(), input param str is treated as a NULL terminated string despite being user provided and unchecked. Specifically, the function X509_check_host() takes in a pointer and length to check against, with no requirements that it be NULL terminated. If a…

  • CVE-2024-0901Mar 25, 2024
    risk 0.00cvss epss 0.01

    Remotely executed SEGV and out of bounds read allows malicious packet sender to crash or cause an out of bounds read via sending a malformed packet with the correct length.

  • CVE-2024-2873Mar 25, 2024
    risk 0.00cvss epss 0.01

    A vulnerability was found in wolfSSH's server-side state machine before versions 1.4.17. A malicious client could create channels without first performing user authentication, resulting in unauthorized access.

  • CVE-2023-6936Feb 20, 2024
    risk 0.00cvss epss 0.01

    In wolfSSL prior to 5.6.6, if callback functions are enabled (via the WOLFSSL_CALLBACKS flag), then a malicious TLS client or network attacker can trigger a buffer over-read on the heap of 5 bytes (WOLFSSL_CALLBACKS is only intended for debugging).

  • CVE-2023-6937Feb 15, 2024
    risk 0.00cvss epss 0.01

    wolfSSL prior to 5.6.6 did not check that messages in one (D)TLS record do not span key boundaries. As a result, it was possible to combine (D)TLS messages using different keys into one (D)TLS record. The most extreme edge case is that, in (D)TLS 1.3, it was possible that an…

  • CVE-2023-6935Feb 9, 2024
    risk 0.00cvss epss 0.01

    wolfSSL SP Math All RSA implementation is vulnerable to the Marvin Attack, new variation of a timing Bleichenbacher style attack, when built with the following options to configure: --enable-all CFLAGS="-DWOLFSSL_STATIC_RSA" The define “WOLFSSL_STATIC_RSA” enables static…

  • CVE-2023-3724Jul 17, 2023
    risk 0.00cvss epss 0.01

    If a TLS 1.3 client gets neither a PSK (pre shared key) extension nor a KSE (key share extension) when connecting to a malicious server, a default predictable buffer gets used for the IKM (Input Keying Material) value when generating the session master secret. Using a…

  • CVE-2022-42905Nov 6, 2022
    risk 0.00cvss epss 0.02

    In wolfSSL before 5.5.2, if callback functions are enabled (via the WOLFSSL_CALLBACKS flag), then a malicious TLS 1.3 client or network attacker can trigger a buffer over-read on the heap of 5 bytes. (WOLFSSL_CALLBACKS is only intended for debugging.)

  • CVE-2022-42961Oct 15, 2022
    risk 0.00cvss epss 0.01

    An issue was discovered in wolfSSL before 5.5.0. A fault injection attack on RAM via Rowhammer leads to ECDSA key disclosure. Users performing signing operations with private ECC keys, such as in server-side TLS connections, might leak faulty ECC signatures. These signatures can…

  • CVE-2022-39173Sep 29, 2022
    risk 0.00cvss epss 0.04

    In wolfSSL before 5.5.1, malicious clients can cause a buffer overflow during a TLS 1.3 handshake. This occurs when an attacker supposedly resumes a previous TLS session. During the resumption Client Hello a Hello Retry Request must be triggered. Both Client Hellos are required…

  • CVE-2021-44718Sep 2, 2022
    risk 0.00cvss epss 0.01

    wolfSSL through 5.0.0 allows an attacker to cause a denial of service and infinite loop in the client component by sending crafted traffic from a Machine-in-the-Middle (MITM) position. The root cause is that the client module accepts TLS messages that normally are only sent to…

  • CVE-2022-38152Aug 31, 2022
    risk 0.00cvss epss 0.02

    An issue was discovered in wolfSSL before 5.5.0. When a TLS 1.3 client connects to a wolfSSL server and SSL_clear is called on its session, the server crashes with a segmentation fault. This occurs in the second session, which is created through TLS session resumption and reuses…

  • CVE-2022-38153Aug 31, 2022
    risk 0.00cvss epss 0.02

    An issue was discovered in wolfSSL before 5.5.0 (when --enable-session-ticket is used); however, only version 5.3.0 is exploitable. Man-in-the-middle attackers or a malicious server can crash TLS 1.2 clients during a handshake. If an attacker injects a large ticket (more than…

  • CVE-2022-34293Aug 8, 2022
    risk 0.00cvss epss 0.01

    wolfSSL before 5.4.0 allows remote attackers to cause a denial of service via DTLS because a check for return-routability can be skipped.

  • CVE-2022-32073Jul 13, 2022
    risk 0.00cvss epss 0.02

    WolfSSH v1.4.7 was discovered to contain an integer overflow via the function wolfSSH_SFTP_RecvRMDIR.

  • CVE-2022-25640Feb 24, 2022
    risk 0.00cvss epss 0.01

    In wolfSSL before 5.2.0, a TLS 1.3 server cannot properly enforce a requirement for mutual authentication. A client can simply omit the certificate_verify message from the handshake, and never present a certificate.

  • CVE-2022-25638Feb 24, 2022
    risk 0.00cvss epss 0.01

    In wolfSSL before 5.2.0, certificate validation may be bypassed during attempted authentication by a TLS 1.3 client to a TLS 1.3 server. This occurs when the sig_algo field differs between the certificate_verify message and the certificate message.