CVE-2022-25638 — Improper Certificate Validation in Wolfssl

CWE-295 — Improper Certificate Validation CWE-401 — Missing Release of Memory after Effective Lifetime8 documents7 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 65.13%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wolfssl Debian Wolfssl

Timeline

PublishedFeb 24

Latest updateFeb 24

Description

In wolfSSL before 5.2.0, certificate validation may be bypassed during attempted authentication by a TLS 1.3 client to a TLS 1.3 server. This occurs when the sig_algo field differs between the certificate_verify message and the certificate message.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/wolfssl< wolfssl 5.2.0-1 (bookworm)

▶NVDwolfssl/wolfssl< 5.2.0

▶Debianwolfssl/wolfssl< 4.6.0+p1-0+deb11u1+3

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

ImageMagick has memory leak in msl encoder↗2026-02-24

▶

GHSA

GHSA-xxrj-j9r7-g9q6: In wolfSSL before 5↗2022-02-25

▶

OSV

CVE-2022-25638: In wolfSSL before 5↗2022-02-24

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Risk Matrix: CNC Console (hibernate-core) — CVE-2020-25638↗2022-04-15

▶

Debian

CVE-2022-25638: wolfssl - In wolfSSL before 5.2.0, certificate validation may be bypassed during attempted...↗2022

▶

🕵️Threat Intelligence

Trailofbits

Keeping the wolves out of wolfSSL↗2023-01-12

▶

Trailofbits

Keeping the wolves out of wolfSSL↗2023-01-12

▶