CVE-2026-2645 — Improperly Implemented Security Check for Standard in Wolfssl

CWE-358 — Improperly Implemented Security Check for Standard6 documents6 sources

Severity

5.5MEDIUMNVD

EPSS

0.0%

top 92.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wolfssl Debian Wolfssl Msrc Azl3 Mariadb 10.11.16-1 ON Azure Linux 3.0 +1 more

Timeline

PublishedMar 19

Description

In wolfSSL 5.8.2 and earlier, a logic flaw existed in the TLS 1.2 server state machine implementation. The server could incorrectly accept the CertificateVerify message before the ClientKeyExchange message had been received. This issue affects wolfSSL before 5.8.4 (wolfSSL 5.8.2 and earlier is vulnerable, 5.8.4 is not vulnerable). In 5.8.4 wolfSSL would detect the issue later in the handshake. 5.9.0 was further hardened to catch the issue earlier in the handshake.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages5 packages

▶debiandebian/wolfssl< wolfssl 5.9.0-0.1 (forky)

▶CVEListV5wolfssl/wolfssl< 5.8.4

▶Debianwolfssl/wolfssl< 5.9.0-0.1

▶msrcmsrc/cbl2_mariadb_10.6.24-1_on_cbl_mariner_2.0

▶msrcmsrc/azl3_mariadb_10.11.16-1_on_azure_linux_3.0

🔴Vulnerability Details

OSV

CVE-2026-2645: In wolfSSL 5↗2026-03-19

▶

GHSA

GHSA-cwc7-2fmx-fffq: In wolfSSL 5↗2026-03-19

▶

📋Vendor Advisories

Microsoft

Acceptance of CertificateVerify Message before ClientKeyExchange in TLS 1.2↗2026-03-10

▶

Debian

CVE-2026-2645: wolfssl - In wolfSSL 5.8.2 and earlier, a logic flaw existed in the TLS 1.2 server state m...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-2645 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶