CVE-2026-3503 — Incorrect Usage of Seeds in Pseudo-Random Number Generator in INC Wolfssl

CWE-335 — Incorrect Usage of Seeds in Pseudo-Random Number Generator6 documents6 sources

Severity

4.3MEDIUMNVD

EPSS

0.0%

top 93.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wolfssl INC Wolfssl Wolfssl Debian Wolfssl +2 more

Timeline

PublishedMar 19

Description

Protection mechanism failure in wolfCrypt post-quantum implementations (ML-KEM and ML-DSA) in wolfSSL on ARM Cortex-M microcontrollers allows a physical attacker to compromise key material and/or cryptographic outcomes via induced transient faults that corrupt or redirect seed/pointer values during Keccak-based expansion. This issue affects wolfSSL (wolfCrypt): commit hash d86575c766e6e67ef93545fa69c04d6eb49400c6.

CVSS vector

CVSS:4.0/AV:P/AC:H/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N

Affected Packages5 packages

▶debiandebian/wolfssl< wolfssl 5.9.0-0.1 (forky)

▶CVEListV5wolfssl_inc/wolfssl5.8.2 — 5.9.0

▶Debianwolfssl/wolfssl< 5.9.0-0.1

▶msrcmsrc/cbl2_mariadb_10.6.24-1_on_cbl_mariner_2.0

▶msrcmsrc/azl3_mariadb_10.11.16-1_on_azure_linux_3.0

🔴Vulnerability Details

GHSA

GHSA-pgc5-r6cv-2825: Protection mechanism failure in wolfCrypt post-quantum implementations (ML-KEM and ML-DSA) in wolfSSL on ARM Cortex-M microcontrollers allows a physic↗2026-03-19

▶

OSV

CVE-2026-3503: Protection mechanism failure in wolfCrypt post-quantum implementations (ML-KEM and ML-DSA) in wolfSSL on ARM Cortex-M microcontrollers allows a physic↗2026-03-19

▶

📋Vendor Advisories

Microsoft

Fault injection attack with ML-DSA and ML-KEM on ARM↗2026-03-10

▶

Debian

CVE-2026-3503: wolfssl - Protection mechanism failure in wolfCrypt post-quantum implementations (ML-KEM a...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-3503 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶