Debian Wolfssl vulnerabilities

CVE-2026-3549 [HIGH] CVE-2026-3549: wolfssl - Heap Overflow in TLS 1.3 ECH parsing. An integer underflow existed in ECH extens... Heap Overflow in TLS 1.3 ECH parsing. An integer underflow existed in ECH extension parsing logic when calculating a buffer length, which resulted in writing beyond the bounds of an allocated buffer. Note that in wolfSSL, ECH is off by default, and the ECH standard is still evolving. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 5.9.0-0.1) sid:

CVE-2026-3548 [HIGH] CVE-2026-3548: wolfssl - Two buffer overflow vulnerabilities existed in the wolfSSL CRL parser when parsi... Two buffer overflow vulnerabilities existed in the wolfSSL CRL parser when parsing CRL numbers: a heap-based buffer overflow could occur when improperly storing the CRL number as a hexadecimal string, and a stack-based overflow for sufficiently sized CRL numbers. With appropriately crafted CRLs, either of these out of bound writes could be triggered. Note this only af

CVE-2026-3547 [HIGH] CVE-2026-3547: wolfssl - Out-of-bounds read in ALPN parsing due to incomplete validation. wolfSSL 5.8.4 a... Out-of-bounds read in ALPN parsing due to incomplete validation. wolfSSL 5.8.4 and earlier contained an out-of-bounds read in ALPN handling when built with ALPN enabled (HAVE_ALPN / --enable-alpn). A crafted ALPN protocol list could trigger an out-of-bounds read, leading to a potential process crash (denial of service). Note that ALPN is disabled by default, but is en

CVE-2026-2645 [MEDIUM] CVE-2026-2645: wolfssl - In wolfSSL 5.8.2 and earlier, a logic flaw existed in the TLS 1.2 server state m... In wolfSSL 5.8.2 and earlier, a logic flaw existed in the TLS 1.2 server state machine implementation. The server could incorrectly accept the CertificateVerify message before the ClientKeyExchange message had been received. This issue affects wolfSSL before 5.8.4 (wolfSSL 5.8.2 and earlier is vulnerable, 5.8.4 is not vulnerable). In 5.8.4 wolfSSL would detect the i

CVE-2026-3503 [MEDIUM] CVE-2026-3503: wolfssl - Protection mechanism failure in wolfCrypt post-quantum implementations (ML-KEM a... Protection mechanism failure in wolfCrypt post-quantum implementations (ML-KEM and ML-DSA) in wolfSSL on ARM Cortex-M microcontrollers allows a physical attacker to compromise key material and/or cryptographic outcomes via induced transient faults that corrupt or redirect seed/pointer values during Keccak-based expansion. This issue affects wolfSSL (wolfCrypt): comm

CVE-2026-2646 [MEDIUM] CVE-2026-2646: wolfssl - A heap-buffer-overflow vulnerability exists in wolfSSL's wolfSSL_d2i_SSL_SESSION... A heap-buffer-overflow vulnerability exists in wolfSSL's wolfSSL_d2i_SSL_SESSION() function. When deserializing session data with SESSION_CERTS enabled, certificate and session id lengths are read from an untrusted input without bounds validation, allowing an attacker to overflow fixed-size buffers and corrupt heap memory. A maliciously crafted session would need to

CVE-2026-3849 [MEDIUM] CVE-2026-3849: wolfssl - Stack Buffer Overflow in wc_HpkeLabeledExtract via Oversized ECH Config. A vulne... Stack Buffer Overflow in wc_HpkeLabeledExtract via Oversized ECH Config. A vulnerability existed in wolfSSL 5.8.4 ECH (Encrypted Client Hello) support, where a maliciously crafted ECH config could cause a stack buffer overflow on the client side, leading to potential remote execution and client program crash. This could be exploited by a malicious TLS server support

CVE-2026-3229 [LOW] CVE-2026-3229: wolfssl - An integer overflow vulnerability existed in the static function wolfssl_add_to_... An integer overflow vulnerability existed in the static function wolfssl_add_to_chain, that caused heap corruption when certificate data was written out of bounds of an insufficiently sized certificate buffer. wolfssl_add_to_chain is called by these API: wolfSSL_CTX_add_extra_chain_cert, wolfSSL_CTX_add1_chain_cert, wolfSSL_add0_chain_cert. These API are enabled for 3r

CVE-2026-3579 [LOW] CVE-2026-3579: wolfssl - wolfSSL 5.8.4 on RISC-V RV32I architectures lacks a constant-time software imple... wolfSSL 5.8.4 on RISC-V RV32I architectures lacks a constant-time software implementation for 64-bit multiplication. The compiler-inserted __muldi3 subroutine executes in variable time based on operand values. This affects multiple SP math functions (sp_256_mul_9, sp_256_sqr_9, etc.), leading to a timing side-channel that may expose sensitive cryptographic data. Scope:

CVE-2026-3230 [LOW] CVE-2026-3230: wolfssl - Missing required cryptographic step in the TLS 1.3 client HelloRetryRequest hand... Missing required cryptographic step in the TLS 1.3 client HelloRetryRequest handshake logic in wolfSSL could lead to a compromise in the confidentiality of TLS-protected communications via a crafted HelloRetryRequest followed by a ServerHello message that omits the required key_share extension, resulting in derivation of predictable traffic secrets from (EC)DHE shared

CVE-2026-1005 [LOW] CVE-2026-1005: wolfssl - Integer underflow in wolfSSL packet sniffer <= 5.8.4 allows an attacker to cause... Integer underflow in wolfSSL packet sniffer <= 5.8.4 allows an attacker to cause a buffer overflow in the AEAD decryption path by injecting a TLS record shorter than the explicit IV plus authentication tag into traffic inspected by ssl_DecodePacket. The underflow wraps a 16-bit length to a large value that is passed to AEAD decryption routines, causing heap buffer over

CVE-2026-4159 [LOW] CVE-2026-4159: wolfssl - 1-byte OOB heap read in wc_PKCS7_DecodeEnvelopedData via zero-length encrypted c... 1-byte OOB heap read in wc_PKCS7_DecodeEnvelopedData via zero-length encrypted content. A vulnerability existed in wolfSSL 5.8.4 and earlier, where a 1-byte out-of-bounds heap read in wc_PKCS7_DecodeEnvelopedData could be triggered by a crafted CMS EnvelopedData message with zero-length encrypted content. Note that PKCS7 support is disabled by default. Scope: local boo

CVE-2026-4395 [LOW] CVE-2026-4395: wolfssl - Heap-based buffer overflow in the KCAPI ECC code path of wc_ecc_import_x963_ex()... Heap-based buffer overflow in the KCAPI ECC code path of wc_ecc_import_x963_ex() in wolfSSL wolfcrypt allows a remote attacker to write attacker-controlled data past the bounds of the pubkey_raw buffer via a crafted oversized EC public key point. The WOLFSSL_KCAPI_ECC code path copies the input to key->pubkey_raw (132 bytes) using XMEMCPY without a bounds check, unlike

CVE-2026-3580 [LOW] CVE-2026-3580: wolfssl - In wolfSSL 5.8.4, constant-time masking logic in sp_256_get_entry_256_9 is optim... In wolfSSL 5.8.4, constant-time masking logic in sp_256_get_entry_256_9 is optimized into conditional branches (bnez) by GCC when targeting RISC-V RV32I with -O3. This transformation breaks the side-channel resistance of ECC scalar multiplication, potentially allowing a local attacker to recover secret keys via timing analysis. Scope: local bookworm: open bullseye: ope

CVE-2026-0819 [LOW] CVE-2026-0819: wolfssl - A stack buffer overflow vulnerability exists in wolfSSL's PKCS7 SignedData encod... A stack buffer overflow vulnerability exists in wolfSSL's PKCS7 SignedData encoding functionality. In wc_PKCS7_BuildSignedAttributes(), when adding custom signed attributes, the code passes an incorrect capacity value (esd->signedAttribsCount) to EncodeAttributes() instead of the remaining available space in the fixed-size signedAttribs[7] array. When an application se

CVE-2025-7394 [HIGH] CVE-2025-7394: wolfssl - In the OpenSSL compatibility layer implementation, the function RAND_poll() was ... In the OpenSSL compatibility layer implementation, the function RAND_poll() was not behaving as expected and leading to the potential for predictable values returned from RAND_bytes() after fork() is called. This can lead to weak or predictable random numbers generated in applications that are both using RAND_bytes() and doing fork() operations. This only affects appl

CVE-2025-11935 [MEDIUM] CVE-2025-11935: wolfssl - With TLS 1.3 pre-shared key (PSK) a malicious or faulty server could ignore the ... With TLS 1.3 pre-shared key (PSK) a malicious or faulty server could ignore the request for PFS (perfect forward secrecy) and the client would continue on with the connection using PSK without PFS. This happened when a server responded to a ClientHello containing psk_dhe_ke without a key_share extension. The re-use of an authenticated PSK connection that on the cl

CVE-2025-11936 [MEDIUM] CVE-2025-11936: wolfssl - Improper input validation in the TLS 1.3 KeyShareEntry parsing in wolfSSL v5.8.2... Improper input validation in the TLS 1.3 KeyShareEntry parsing in wolfSSL v5.8.2 on multiple platforms allows a remote unauthenticated attacker to cause a denial-of-service by sending a crafted ClientHello message containing duplicate KeyShareEntry values for the same supported group, leading to excessive CPU and memory consumption during ClientHello processing. S

CVE-2025-12888 [LOW] CVE-2025-12888: wolfssl - Vulnerability in X25519 constant-time cryptographic implementations due to timin... Vulnerability in X25519 constant-time cryptographic implementations due to timing side channels introduced by compiler optimizations and CPU architecture limitations, specifically with the Xtensa-based ESP32 chips. If targeting Xtensa it is recommended to use the low memory implementations of X25519, which is now turned on as the default for Xtensa. Scope: local book

CVE-2025-11932 [LOW] CVE-2025-11932: wolfssl - The server previously verified the TLS 1.3 PSK binder using a non-constant time ... The server previously verified the TLS 1.3 PSK binder using a non-constant time method which could potentially leak information about the PSK binder Scope: local bookworm: open bullseye: open forky: resolved (fixed in 5.8.4-1) sid: resolved (fixed in 5.8.4-1) trixie: open