Debian Wolfssl vulnerabilities

CVE-2025-7395 [CRITICAL] CVE-2025-7395: wolfssl - A certificate verification error in wolfSSL when building with the WOLFSSL_SYS_C... A certificate verification error in wolfSSL when building with the WOLFSSL_SYS_CA_CERTS and WOLFSSL_APPLE_NATIVE_CERT_VALIDATION options results in the wolfSSL client failing to properly verify the server certificate's domain name, allowing any certificate issued by a trusted CA to be accepted regardless of the hostname. Scope: local bookworm: resolved bullseye: r

CVE-2025-12889 [LOW] CVE-2025-12889: wolfssl - With TLS 1.2 connections a client can use any digest, specifically a weaker dige... With TLS 1.2 connections a client can use any digest, specifically a weaker digest that is supported, rather than those in the CertificateRequest. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 5.8.4-1) sid: resolved (fixed in 5.8.4-1) trixie: open

CVE-2025-13912 [LOW] CVE-2025-13912: wolfssl - Multiple constant-time implementations in wolfSSL before version 5.8.4 may be tr... Multiple constant-time implementations in wolfSSL before version 5.8.4 may be transformed into non-constant-time binary by LLVM optimizations, which can potentially result in observable timing discrepancies and lead to information disclosure through timing side-channel attacks. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 5.8.4-1) sid: resolve

CVE-2025-11934 [LOW] CVE-2025-11934: wolfssl - Improper input validation in the TLS 1.3 CertificateVerify signature algorithm n... Improper input validation in the TLS 1.3 CertificateVerify signature algorithm negotiation in wolfSSL 5.8.2 and earlier on multiple platforms allows for downgrading the signature algorithm used. For example when a client sends ECDSA P521 as the supported signature algorithm the server previously could respond as ECDSA P256 being the accepted signature algorithm and t

CVE-2025-11933 [LOW] CVE-2025-11933: wolfssl - Improper Input Validation in the TLS 1.3 CKS extension parsing in wolfSSL 5.8.2 ... Improper Input Validation in the TLS 1.3 CKS extension parsing in wolfSSL 5.8.2 and earlier on multiple platforms allows a remote unauthenticated attacker to potentially cause a denial-of-service via a crafted ClientHello message with duplicate CKS extensions. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 5.8.4-1) sid: resolved (fixed in 5.8.4-

CVE-2025-7396 [MEDIUM] CVE-2025-7396: wolfssl - In wolfSSL release 5.8.2 blinding support is turned on by default for Curve25519... In wolfSSL release 5.8.2 blinding support is turned on by default for Curve25519 in applicable builds. The blinding configure option is only for the base C implementation of Curve25519. It is not needed, or available with; ARM assembly builds, Intel assembly builds, and the small Curve25519 feature. While the side-channel attack on extracting a private key would be

CVE-2025-11931 [LOW] CVE-2025-11931: wolfssl - Integer Underflow Leads to Out-of-Bounds Access in XChaCha20-Poly1305 Decrypt. T... Integer Underflow Leads to Out-of-Bounds Access in XChaCha20-Poly1305 Decrypt. This issue is hit specifically with a call to the function wc_XChaCha20Poly1305_Decrypt() which is not used with TLS connections, only from direct calls from an application. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 5.8.4-1) sid: resolved (fixed in 5.8.4-1) trixi

CVE-2024-5991 [CRITICAL] CVE-2024-5991: wolfssl - In function MatchDomainName(), input param str is treated as a NULL terminated s... In function MatchDomainName(), input param str is treated as a NULL terminated string despite being user provided and unchecked. Specifically, the function X509_check_host() takes in a pointer and length to check against, with no requirements that it be NULL terminated. If a caller was attempting to do a name check on a non-NULL terminated buffer, the code would r

CVE-2024-0901 [HIGH] CVE-2024-0901: wolfssl - Remotely executed SEGV and out of bounds read allows malicious packet sender to ... Remotely executed SEGV and out of bounds read allows malicious packet sender to crash or cause an out of bounds read via sending a malformed packet with the correct length. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 5.7.0-0.3) sid: resolved (fixed in 5.7.0-0.3) trixie: resolved (fixed in 5.7.0-0.3)

CVE-2024-1543 [MEDIUM] CVE-2024-1543: wolfssl - The side-channel protected T-Table implementation in wolfSSL up to version 5.6.5... The side-channel protected T-Table implementation in wolfSSL up to version 5.6.5 protects against a side-channel attacker with cache-line resolution. In a controlled environment such as Intel SGX, an attacker can gain a per instruction sub-cache-line resolution allowing them to break the cache-line-level protection. For details on the attack refer to: https://doi.or

CVE-2024-1544 [MEDIUM] CVE-2024-1544: wolfssl - Generating the ECDSA nonce k samples a random number r and then truncates this ... Generating the ECDSA nonce k samples a random number r and then truncates this randomness with a modular reduction mod n where n is the order of the elliptic curve. Meaning k = r mod n. The division used during the reduction estimates a factor q_e by dividing the upper two digits (a digit having e.g. a size of 8 byte) of r by the upper digit of n and then decrements

CVE-2024-2881 [MEDIUM] CVE-2024-2881: wolfssl - Fault Injection vulnerability in wc_ed25519_sign_msg function in wolfssl/wolfcry... Fault Injection vulnerability in wc_ed25519_sign_msg function in wolfssl/wolfcrypt/src/ed25519.c in WolfSSL wolfssl5.6.6 on Linux/Windows allows remote attacker co-resides in the same system with a victim process to disclose information and escalate privileges via Rowhammer fault injection to the ed25519_key structure. Scope: local bookworm: open bullseye: open fork

CVE-2024-1545 [MEDIUM] CVE-2024-1545: wolfssl - Fault Injection vulnerability in RsaPrivateDecryption function in wolfssl/wolfcr... Fault Injection vulnerability in RsaPrivateDecryption function in wolfssl/wolfcrypt/src/rsa.c in WolfSSL wolfssl5.6.6 on Linux/Windows allows remote attacker co-resides in the same system with a victim process to disclose information and escalate privileges via Rowhammer fault injection to the RsaKey structure. Scope: local bookworm: open bullseye: open forky: resol

CVE-2024-5814 [MEDIUM] CVE-2024-5814: wolfssl - A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to... A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and achieve a successful connection. This is because, aside from the extensions, the client was skipping fully parsing the server hello. https://doi.org/10.46586/tches.v2024.i1.457-500 Scope: local bookworm: open bullseye: open forky: resolved

CVE-2024-5288 [MEDIUM] CVE-2024-5288: wolfssl - An issue was discovered in wolfSSL before 5.7.0. A safe-error attack via Rowhamm... An issue was discovered in wolfSSL before 5.7.0. A safe-error attack via Rowhammer, namely FAULT+PROBE, leads to ECDSA key disclosure. When WOLFSSL_CHECK_SIG_FAULTS is used in signing operations with private ECC keys, such as in server-side TLS connections, the connection is halted if any fault occurs. The success rate in a certain amount of connection requests can

CVE-2023-3724 [CRITICAL] CVE-2023-3724: wolfssl - If a TLS 1.3 client gets neither a PSK (pre shared key) extension nor a KSE (key... If a TLS 1.3 client gets neither a PSK (pre shared key) extension nor a KSE (key share extension) when connecting to a malicious server, a default predictable buffer gets used for the IKM (Input Keying Material) value when generating the session master secret. Using a potentially known IKM value when generating the session master secret key compromises the key gen

CVE-2023-6936 [MEDIUM] CVE-2023-6936: wolfssl - In wolfSSL prior to 5.6.6, if callback functions are enabled (via the WOLFSSL_CA... In wolfSSL prior to 5.6.6, if callback functions are enabled (via the WOLFSSL_CALLBACKS flag), then a malicious TLS client or network attacker can trigger a buffer over-read on the heap of 5 bytes (WOLFSSL_CALLBACKS is only intended for debugging). Scope: local bookworm: open bullseye: open forky: resolved (fixed in 5.6.6-1.2) sid: resolved (fixed in 5.6.6-1.2) trix

CVE-2023-6937 [MEDIUM] CVE-2023-6937: wolfssl - wolfSSL prior to 5.6.6 did not check that messages in one (D)TLS record do not s... wolfSSL prior to 5.6.6 did not check that messages in one (D)TLS record do not span key boundaries. As a result, it was possible to combine (D)TLS messages using different keys into one (D)TLS record. The most extreme edge case is that, in (D)TLS 1.3, it was possible that an unencrypted (D)TLS 1.3 record from the server containing first a ServerHello message and the

CVE-2023-6935 [MEDIUM] CVE-2023-6935: wolfssl - wolfSSL SP Math All RSA implementation is vulnerable to the Marvin Attack, new v... wolfSSL SP Math All RSA implementation is vulnerable to the Marvin Attack, new variation of a timing Bleichenbacher style attack, when built with the following options to configure: --enable-all CFLAGS="-DWOLFSSL_STATIC_RSA" The define “WOLFSSL_STATIC_RSA” enables static RSA cipher suites, which is not recommended, and has been disabled by default since wolfSSL 3.6.

CVE-2022-42905 [CRITICAL] CVE-2022-42905: wolfssl - In wolfSSL before 5.5.2, if callback functions are enabled (via the WOLFSSL_CALL... In wolfSSL before 5.5.2, if callback functions are enabled (via the WOLFSSL_CALLBACKS flag), then a malicious TLS 1.3 client or network attacker can trigger a buffer over-read on the heap of 5 bytes. (WOLFSSL_CALLBACKS is only intended for debugging.) Scope: local bookworm: resolved (fixed in 5.5.3-1) bullseye: resolved (fixed in 4.6.0+p1-0+deb11u2) forky: resol