CRITICAL9.8CVE-2026-5264Heap buffer overflow in DTLS 1.3 ACK message processing. from 0
CRITICAL9.8CVE-2026-5187Two potential heap out-of-bounds write locations existed in DecodeObjectId() in wolfcrypt/src/asn.c. from 0
CRITICAL9.8CVE-2026-4395Heap-based buffer overflow in the KCAPI ECC code path of wc_ecc_import_x963_ex() in wolfSSL wolfcrypt allows a remote attacker to write att… from 0
CRITICAL9.8Stack Buffer Overflow in wc_HpkeLabeledExtract via Oversized ECH Config.
from 0
CRITICAL9.8Heap Overflow in TLS 1.3 ECH parsing.
from 0
CRITICAL9.8Two buffer overflow vulnerabilities existed in the wolfSSL CRL parser when parsing CRL numbers: a heap-based buffer overflow could occur wh…
from 0
CRITICAL9.8In the OpenSSL compatibility layer implementation, the function RAND_poll() was not behaving as expected and leading to the potential for p…
from 0
CRITICAL9.8wolfSSL 4.6.x through 4.7.x before 4.8.0 does not produce a failure outcome when the serial number in an OCSP request differs from the seri…
from 0, < 4.6.0+p1-0+deb11u1
CRITICAL9.8RsaPad_PSS in wolfcrypt/src/rsa.c in wolfSSL before 4.6.0 has an out-of-bounds write for certain relationships between key size and digest…
from 0, < 4.6.0-1
CRITICAL9.8In wolfSSL through 4.1.0, there is a missing sanity check of memory accesses in parsing ASN.1 certificate data while handshaking.
from 0, < 4.2.0+dfsg-1
CRITICAL9.8wolfSSL 4.1.0 has a one-byte heap-based buffer over-read in DecodeCertExtensions in wolfcrypt/src/asn.c because reading the ASN_BOOLEAN byt…
from 0, < 4.1.0+dfsg-2
CRITICAL9.8wolfSSL 4.0.0 has a Buffer Overflow in DoPreSharedKeys in tls13.c when a current identity size is greater than a client identity size.
from 0, < 4.1.0+dfsg-1
CRITICAL9.8examples/benchmark/tls_bench.c in a benchmark tool in wolfSSL through 3.15.7 has a heap-based buffer overflow.
from 0, < 4.1.0+dfsg-1
CRITICAL9.8A specially crafted x509 certificate can cause a single out of bounds byte overwrite in wolfSSL through 3.10.2 resulting in potential certi…
from 0, < 3.12.0+dfsg-1
CRITICAL9.1Dual-Algorithm CertificateVerify out-of-bounds read.
from 0
CRITICAL9.1In TLSX_EchChangeSNI, the ctx->extensions branch set extensions unconditionally even when TLSX_Find returned NULL.
from 0
CRITICAL9.1Missing hash/digest size and OID checks allow digests smaller than allowed when verifying ECDSA certificates, or smaller than is appropriat…
from 0
CRITICAL9.1Remotely executed SEGV and out of bounds read allows malicious packet sender to crash or cause an out of bounds read via sending a malforme…
from 0
CRITICAL9.1In wolfSSL prior to 5.6.6, if callback functions are enabled (via the WOLFSSL_CALLBACKS flag), then a malicious TLS client or network attac…
from 0
CRITICAL9.1In wolfSSL before 5.5.2, if callback functions are enabled (via the WOLFSSL_CALLBACKS flag), then a malicious TLS 1.3 client or network att…
from 0, < 4.6.0+p1-0+deb11u2
CRITICAL9.1wolfSSL 5.x before 5.1.1 uses non-random IV values in certain situations.
from 0, < 5.1.1-1
HIGH8.8Fault Injection vulnerability in wc_ed25519_sign_msg function in wolfssl/wolfcrypt/src/ed25519.c in WolfSSL wolfssl5.6.6 on Linux/Windows a…
from 0
HIGH8.8Fault Injection vulnerability in RsaPrivateDecryption function in wolfssl/wolfcrypt/src/rsa.c in WolfSSL wolfssl5.6.6 on Linux/Windows allo…
from 0
HIGH8.8If a TLS 1.3 client gets neither a PSK (pre shared key) extension nor a KSE (key share extension) when connecting to a malicious server, a…
from 0, < 4.6.0+p1-0+deb11u2
HIGH8.2Integer Underflow Leads to Out-of-Bounds Access in XChaCha20-Poly1305 Decrypt.
from 0
HIGH8.1wolfSSL_X509_verify_cert in the OpenSSL compatibility layer accepts a certificate chain in which the leaf's signature is not checked, if th…
from 0
HIGH8.1In wolfSSL's EVP layer, the ChaCha20-Poly1305 AEAD decryption path in wolfSSL_EVP_CipherFinal (and related EVP cipher finalization function…
from 0
HIGH8.1wolfSSL's ECCSI signature verifier `wc_VerifyEccsiHash` decodes the `r` and `s` scalars from the signature blob via `mp_read_unsigned_bin`…
from 0
HIGH8.1An integer underflow issue exists in wolfSSL when parsing the Subject Alternative Name (SAN) extension of X.509 certificates.
from 0
HIGH8.1A heap-buffer-overflow vulnerability exists in wolfSSL's wolfSSL_d2i_SSL_SESSION() function.
from 0
HIGH8.1DoTls13CertificateVerify in tls13.c in wolfSSL before 4.7.0 does not cease processing for certain anomalous peer behavior (sending an ED225…
from 0, < 4.6.0-3
HIGH8.0A stack buffer overflow exists in wolfSSL's PKCS7 implementation in the wc_PKCS7_DecryptOri() function in wolfcrypt/src/pkcs7.c.
from 0
HIGH7.8wolfSSL before 3.10.2 has an out-of-bounds memory access with loading crafted DH parameters, aka a buffer overflow triggered by a malformed…
from 0, < 3.10.2+dfsg-1
HIGH7.5An integer overflow existed in the wolfCrypt CMAC implementation, that could be exploited to forge CMAC tags.
from 0
HIGH7.5Heap buffer overflow in CertFromX509 via AuthorityKeyIdentifier size confusion.
from 0
HIGH7.5Out-of-bounds read in ALPN parsing due to incomplete validation.
from 0
HIGH7.5In wolfSSL 5.8.2 and earlier, a logic flaw existed in the TLS 1.2 server state machine implementation.
from 0
HIGH7.5Vulnerability in X25519 constant-time cryptographic implementations due to timing side channels introduced by compiler optimizations and CP…
from 0
HIGH7.5With TLS 1.3 pre-shared key (PSK) a malicious or faulty server could ignore the request for PFS (perfect forward secrecy) and the client wo…
from 0
HIGH7.5In function MatchDomainName(), input param str is treated as a NULL terminated string despite being user provided and unchecked.
from 0
HIGH7.5In wolfSSL before 5.5.1, malicious clients can cause a buffer overflow during a TLS 1.3 handshake.
from 0, < 4.6.0+p1-0+deb11u2
HIGH7.5An issue was discovered in wolfSSL before 5.5.0.
from 0
HIGH7.5wolfSSL before 5.4.0 allows remote attackers to cause a denial of service via DTLS because a check for return-routability can be skipped.
from 0
HIGH7.5In wolfSSL before 5.2.0, a TLS 1.3 server cannot properly enforce a requirement for mutual authentication.
from 0, < 4.6.0+p1-0+deb11u1
HIGH7.5An issue was discovered in wolfSSL before 4.5.0.
from 0, < 4.5.0+dfsg-1
HIGH7.5wolfSSL 4.3.0 has mulmod code in wc_ecc_mulmod_ex in ecc.c that does not properly resist timing side-channel attacks.
from 0, < 4.4.0+dfsg-1
HIGH7.5wolfSSL before 4.3.0 mishandles calls to wc_SignatureGenerateHash, leading to fault injection in RSA cryptography.
from 0, < 4.3.0+dfsg-1
HIGH7.5wolfssl before 3.2.0 has a server certificate that is not properly authorized for server authentication.
from 0, < 3.4.8+dfsg-1
HIGH7.5wolfssl before 3.2.0 does not properly authorize CA certificate for signing other certificates.
from 0, < 3.4.8+dfsg-1
HIGH7.5wolfssl before 3.2.0 does not properly issue certificates for a server's hostname.
from 0, < 3.4.8+dfsg-1
HIGH7.5In wolfSSL 4.1.0 through 4.2.0c, there are missing sanity checks of memory accesses in parsing ASN.1 certificate data while handshaking.
from 0, < 4.2.0+dfsg-3
HIGH7.5wolfSSL before 3.11.0 does not prevent wc_DhAgree from accepting a malformed DH key.
from 0, < 3.12.0+dfsg-1
HIGH7.5wolfSSL (formerly CyaSSL) before 3.6.8 allows remote attackers to cause a denial of service (resource consumption or traffic amplification)…
from 0, < 3.9.10+dfsg-1
HIGH7.1In wolfSSL, ARIA-GCM cipher suites used in TLS 1.2 and DTLS 1.2 reuse an identical 12-byte GCM nonce for every application-data record.
from 0
HIGH7.1A stack buffer overflow vulnerability exists in wolfSSL's PKCS7 SignedData encoding functionality.
from 0
HIGH7.0An issue was discovered in wolfSSL before 4.5.0, when single precision is not employed.
from 0, < 4.5.0+dfsg-1
MEDIUM6.8wolfSSL before 4.5.0 mishandles TLS 1.3 server data in the WAIT_CERT_CR state, within SanityCheckTls13MsgReceived() in tls13.c.
from 0, < 4.5.0+dfsg-1
MEDIUM6.5A heap use-after-free exists in wolfSSL's TLS 1.3 post-quantum cryptography (PQC) hybrid KeyShare processing.
from 0
MEDIUM6.5Integer underflow in wolfSSL packet sniffer <= 5.9.0 allows an attacker to cause a program crash in the AEAD decryption path by injecting a…
from 0
MEDIUM6.5URI nameConstraints from constrained intermediate CAs are parsed but not enforced during certificate chain verification in wolfcrypt/src/as…
from 0
MEDIUM6.5Improper Input Validation in the TLS 1.3 CKS extension parsing in wolfSSL 5.8.2 and earlier on multiple platforms allows a remote unauthent…
from 0
MEDIUM6.5In wolfSSL before 5.2.0, certificate validation may be bypassed during attempted authentication by a TLS 1.3 client to a TLS 1.3 server.
from 0, < 4.6.0+p1-0+deb11u1
MEDIUM5.9wolfSSL's wc_PKCS7_DecodeAuthEnvelopedData() does not properly sanitize the AES-GCM authentication tag length received and has no lower bou…
from 0
MEDIUM5.9wolfSSL 5.8.4 on RISC-V RV32I architectures lacks a constant-time software implementation for 64-bit multiplication.
from 0
MEDIUM5.9An issue was discovered in wolfSSL before 5.7.0.
from 0
MEDIUM5.9wolfSSL SP Math All RSA implementation is vulnerable to the Marvin Attack, new variation of a timing Bleichenbacher style attack, when buil…
from 0
MEDIUM5.9wolfSSL through 5.0.0 allows an attacker to cause a denial of service and infinite loop in the client component by sending crafted traffic…
from 0, < 4.6.0+p1-0+deb11u1
MEDIUM5.9An issue was discovered in wolfSSL before 5.5.0 (when --enable-session-ticket is used); however, only version 5.3.0 is exploitable.
from 0, < 5.5.3-1
MEDIUM5.9wolfSSL before 4.8.1 incorrectly skips OCSP verification in certain situations of irrelevant response data that contains the NoCheck extens…
from 0, < 4.6.0+p1-0+deb11u1
MEDIUM5.9It was found that wolfssl before 3.15.7 is vulnerable to a new variant of the Bleichenbacher attack to perform downgrade attacks against TL…
from 0, < 4.1.0+dfsg-1
MEDIUM5.9wolfSSL prior to version 3.12.2 provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated.
from 0, < 3.13.0+dfsg-1
MEDIUM5.9CyaSSL does not check the key usage extension in leaf certificates, which allows remote attackers to spoof servers via a crafted server cer…
from 0, < 3.4.8+dfsg-1
MEDIUM5.9wolfSSL (formerly CyaSSL) before 3.6.8 does not properly handle faults associated with the Chinese Remainder Theorem (CRT) process when all…
from 0, < 3.9.10+dfsg-1
MEDIUM5.5An integer overflow vulnerability existed in the static function wolfssl_add_to_chain, that caused heap corruption when certificate data wa…
from 0
MEDIUM5.5The side-channel protected T-Table implementation in wolfSSL up to version 5.6.5 protects against a side-channel attacker with cache-line r…
from 0
MEDIUM5.5In versions of wolfSSL before 3.10.2 the function fp_mul_comba makes it easier to extract RSA key information for a malicious user who has…
from 0, < 3.10.2+dfsg-1
MEDIUM5.5The C software implementation of AES Encryption and Decryption in wolfSSL (formerly CyaSSL) before 3.9.10 makes it easier for local users t…
from 0, < 3.9.10+dfsg-1
MEDIUM5.5The C software implementation of RSA in wolfSSL (formerly CyaSSL) before 3.9.10 makes it easier for local users to discover RSA keys by lev…
from 0, < 3.9.10+dfsg-1
MEDIUM5.5The C software implementation of ECC in wolfSSL (formerly CyaSSL) before 3.9.10 makes it easier for local users to discover RSA keys by lev…
from 0, < 3.9.10+dfsg-1
MEDIUM5.4Heap out-of-bounds read in PKCS7 parsing.
from 0
MEDIUM5.4With TLS 1.2 connections a client can use any digest, specifically a weaker digest that is supported, rather than those in the CertificateR…
from 0
MEDIUM5.3A padding oracle exists in wolfSSL's PKCS7 CBC decryption that could allow an attacker to recover plaintext through repeated decryption que…
from 0
MEDIUM5.3A 1-byte stack buffer over-read was identified in the MatchDomainName function (src/internal.c) during wildcard hostname validation when th…
from 0
MEDIUM5.3Integer underflow in wolfSSL packet sniffer <= 5.8.4 allows an attacker to cause a buffer overflow in the AEAD decryption path by injecting…
from 0
MEDIUM5.3Improper input validation in the TLS 1.3 KeyShareEntry parsing in wolfSSL v5.8.2 on multiple platforms allows a remote unauthenticated atta…
from 0
MEDIUM5.3A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and achieve a s…
from 0
MEDIUM5.3wolfSSL prior to 5.6.6 did not check that messages in one (D)TLS record do not span key boundaries.
from 0
MEDIUM5.3An issue was discovered in wolfSSL before 5.5.0.
from 0, < 4.6.0+p1-0+deb11u2
MEDIUM5.3An issue was discovered in the DTLS handshake implementation in wolfSSL before 4.5.0.
from 0, < 4.5.0+dfsg-1
MEDIUM5.3The private-key operations in ecc.c in wolfSSL before 4.4.0 do not use a constant-time modular inverse when mapping to affine coordinates,…
from 0, < 4.4.0+dfsg-1
MEDIUM5.3An issue was discovered in wolfSSL before 4.3.0 in a non-default configuration where DSA is enabled.
from 0, < 4.3.0+dfsg-1
MEDIUM5.3In wolfSSL before 4.3.0, wc_ecc_mulmod_ex does not properly resist side-channel attacks.
from 0, < 4.3.0+dfsg-1
MEDIUM5.3wolfSSL and wolfCrypt 4.1.0 and earlier (formerly known as CyaSSL) generate biased DSA nonces.
from 0, < 4.2.0+dfsg-1
MEDIUM5.2Protection mechanism failure in wolfCrypt post-quantum implementations (ML-KEM and ML-DSA) in wolfSSL on ARM Cortex-M microcontrollers allo…
from 0
MEDIUM4.9Generating the ECDSA nonce k samples a random number r and then truncates this randomness with a modular reduction mod n where n is the ord…
from 0
MEDIUM4.9In wolfSSL through 4.6.0, a side-channel vulnerability in base64 PEM file decoding allows system-level (administrator) attackers to obtain…
from 0, < 4.6.0-1
MEDIUM4.7In wolfSSL 5.8.4, constant-time masking logic in sp_256_get_entry_256_9 is optimized into conditional branches (bnez) by GCC when targeting…
from 0
MEDIUM4.7wolfCrypt leaks cryptographic information via timing side channel
from 0, < 4.1.0+dfsg-1
MEDIUM4.7wolfcrypt/src/ecc.c in wolfSSL before 3.15.1.patch allows a memory-cache side-channel attack on ECDSA signatures, aka the Return Of the Hid…
from 0, < 3.15.3+dfsg-1
MEDIUM4.3X.509 date buffer overflow in wolfSSL_X509_notAfter / wolfSSL_X509_notBefore.
from 0