CVE-2026-3579 — Observable Discrepancy in Wolfssl

CWE-203 — Observable Discrepancy6 documents6 sources

Severity

2.1LOWNVD

EPSS

0.0%

top 91.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wolfssl Debian Wolfssl Msrc Azl3 Mariadb 10.11.16-1 ON Azure Linux 3.0 +1 more

Timeline

PublishedMar 19

Description

wolfSSL 5.8.4 on RISC-V RV32I architectures lacks a constant-time software implementation for 64-bit multiplication. The compiler-inserted __muldi3 subroutine executes in variable time based on operand values. This affects multiple SP math functions (sp_256_mul_9, sp_256_sqr_9, etc.), leading to a timing side-channel that may expose sensitive cryptographic data.

CVSS vector

CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Affected Packages6 packages

▶debiandebian/wolfssl< wolfssl 5.9.0-0.1 (forky)

▶CVEListV5wolfssl/wolfssl< 5.9.0

▶Debianwolfssl/wolfssl< 5.9.0-0.1

▶NVDwolfssl/wolfssl5.8.4

▶msrcmsrc/cbl2_mariadb_10.6.24-1_on_cbl_mariner_2.0

🔴Vulnerability Details

GHSA

GHSA-f5x4-gf23-wqm9: wolfSSL 5↗2026-03-19

▶

OSV

CVE-2026-3579: wolfSSL 5↗2026-03-19

▶

📋Vendor Advisories

Microsoft

Non-constant time multiplication subroutine __muldi3 on RISC-V RV32I↗2026-03-10

▶

Debian

CVE-2026-3579: wolfssl - wolfSSL 5.8.4 on RISC-V RV32I architectures lacks a constant-time software imple...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-3579 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶