CVE-2025-11934 — Improper Input Validation in Wolfssl

CWE-20 — Improper Input Validation5 documents5 sources

Severity

2.1LOWNVD

EPSS

0.0%

top 96.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wolfssl Debian Wolfssl Msrc Azl3 Mariadb 10.11.11-1 ON Azure Linux 3.0 +1 more

Timeline

PublishedNov 21

Latest updateNov 22

Description

Improper input validation in the TLS 1.3 CertificateVerify signature algorithm negotiation in wolfSSL 5.8.2 and earlier on multiple platforms allows for downgrading the signature algorithm used. For example when a client sends ECDSA P521 as the supported signature algorithm the server previously could respond as ECDSA P256 being the accepted signature algorithm and the connection would continue with using ECDSA P256, if the client supports ECDSA P256.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

Affected Packages6 packages

▶debiandebian/wolfssl< wolfssl 5.8.4-1 (forky)

▶CVEListV5wolfssl/wolfssl3.12.0 — 5.8.4

▶NVDwolfssl/wolfssl5.8.2 — 5.8.4

▶Debianwolfssl/wolfssl< 5.8.4-1

▶msrcmsrc/cbl2_mariadb_10.6.21-1_on_cbl_mariner_2.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-wq2x-6c88-jrh3: Improper input validation in the TLS 1↗2025-11-22

▶

OSV

CVE-2025-11934: Improper input validation in the TLS 1↗2025-11-21

▶

📋Vendor Advisories

Microsoft

Improper Validation of Signature Algorithm Used in TLS 1.3 CertificateVerify↗2025-11-11

▶

Debian

CVE-2025-11934: wolfssl - Improper input validation in the TLS 1.3 CertificateVerify signature algorithm n...↗2025

▶