CVE-2026-3230 — Improper Input Validation in Wolfssl

CWE-20 — Improper Input Validation7 documents7 sources

Severity

1.2LOWNVD

EPSS

0.1%

top 80.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wolfssl Debian Wolfssl Msrc Azl3 Mariadb 10.11.16-1 ON Azure Linux 3.0 +1 more

Timeline

PublishedMar 19

Latest updateApr 3

Description

Missing required cryptographic step in the TLS 1.3 client HelloRetryRequest handshake logic in wolfSSL could lead to a compromise in the confidentiality of TLS-protected communications via a crafted HelloRetryRequest followed by a ServerHello message that omits the required key_share extension, resulting in derivation of predictable traffic secrets from (EC)DHE shared secret. This issue does not affect the client's authentication of the server during TLS handshakes.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages5 packages

▶debiandebian/wolfssl< wolfssl 5.9.0-0.1 (forky)

▶NVDwolfssl/wolfssl< 5.9.0

▶Debianwolfssl/wolfssl< 5.9.0-0.1

▶msrcmsrc/cbl2_mariadb_10.6.24-1_on_cbl_mariner_2.0

▶msrcmsrc/azl3_mariadb_10.11.16-1_on_azure_linux_3.0

Patches

Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-g3xr-5f55-cf5g: Missing required cryptographic step in the TLS 1↗2026-03-19

▶

OSV

CVE-2026-3230: Missing required cryptographic step in the TLS 1↗2026-03-19

▶

📋Vendor Advisories

Microsoft

Improper key_share validation in TLS 1.3 HelloRetryRequest↗2026-03-10

▶

Debian

CVE-2026-3230: wolfssl - Missing required cryptographic step in the TLS 1.3 client HelloRetryRequest hand...↗2026

▶

🕵️Threat Intelligence

abuse.ch

ThreatFox Malware Profile: Unidentified 001↗2026-04-03

▶

Wiz

CVE-2026-3230 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶