wolfssl · threatengine.sh

CVE-2026-5477

<= 5.9.0

An integer overflow existed in the wolfCrypt CMAC implementation, that could be exploited to forge CMAC tags. The function wc_Cmac

7.5HIGH

CVE-2026-5501

<= 5.9.0

wolfSSL_X509_verify_cert in the OpenSSL compatibility layer accepts a certificate chain in which the leaf's signature is not check

8.1HIGH

CVE-2026-5500

<= 5.9.0

wolfSSL's wc_PKCS7_DecodeAuthEnvelopedData() does not properly sanitize the AES-GCM authentication tag length received and has no

5.9MEDIUM

CVE-2026-5479

< 5.9.1

In wolfSSL's EVP layer, the ChaCha20-Poly1305 AEAD decryption path in wolfSSL_EVP_CipherFinal (and related EVP cipher finalization

8.1HIGH

CVE-2026-5466

< 5.9.1

wolfSSL's ECCSI signature verifier wc_VerifyEccsiHash decodes the r and s scalars from the signature blob via `mp_read_unsig

8.1HIGH

CVE-2026-5188

< 5.9.1

An integer underflow issue exists in wolfSSL when parsing the Subject Alternative Name (SAN) extension of X.509 certificates. A ma

8.1HIGH

CVE-2026-5460

< 5.9.1

A heap use-after-free exists in wolfSSL's TLS 1.3 post-quantum cryptography (PQC) hybrid KeyShare processing. In the error handlin

6.5MEDIUM

CVE-2026-5448

< 5.9.1

X.509 date buffer overflow in wolfSSL_X509_notAfter / wolfSSL_X509_notBefore. A buffer overflow may occur when parsing date fields

4.3MEDIUM

CVE-2026-5393

< 5.9.1

Dual-Algorithm CertificateVerify out-of-bounds read. When processing a dual-algorithm CertificateVerify message, an out-of-bounds

9.1CRITICAL

CVE-2026-5392

< 5.9.1

Heap out-of-bounds read in PKCS7 parsing. A crafted PKCS7 message can trigger an OOB read on the heap. The missing bounds check is

5.4MEDIUM

CVE-2026-5507

<= 5.9.0

When restoring a session from cache, a pointer from the serialized session data is used in a free operation without validation. An

4.0MEDIUM

CVE-2026-5504

<= 5.9.0

A padding oracle exists in wolfSSL's PKCS7 CBC decryption that could allow an attacker to recover plaintext through repeated decry

5.3MEDIUM

CVE-2026-5503

<= 5.9.0

In TLSX_EchChangeSNI, the ctx-extensions branch set extensions unconditionally even when TLSX_Find returned NULL. This caused TLSX

9.1CRITICAL

CVE-2026-5295

< 5.9.1

A stack buffer overflow exists in wolfSSL's PKCS7 implementation in the wc_PKCS7_DecryptOri() function in wolfcrypt/src/pkcs7.c. W

8.0HIGH

CVE-2026-5778

< 5.9.1

Integer underflow in wolfSSL packet sniffer <= 5.9.0 allows an attacker to cause a program crash in the AEAD decryption path by in

6.5MEDIUM

CVE-2026-5772

< 5.9.1

A 1-byte stack buffer over-read was identified in the MatchDomainName function (src/internal.c) during wildcard hostname validatio

5.3MEDIUM

CVE-2026-5264

< 5.9.1

Heap buffer overflow in DTLS 1.3 ACK message processing. A remote attacker can send a crafted DTLS 1.3 ACK message that triggers a

9.8CRITICAL

CVE-2026-5263

< 5.9.1

URI nameConstraints from constrained intermediate CAs are parsed but not enforced during certificate chain verification in wolfcry

6.5MEDIUM

CVE-2026-5447

< 5.9.1

Heap buffer overflow in CertFromX509 via AuthorityKeyIdentifier size confusion. A heap buffer overflow occurs when converting an X

7.5HIGH

CVE-2026-5446

>= 5.2.1 and < 5.9.1

In wolfSSL, ARIA-GCM cipher suites used in TLS 1.2 and DTLS 1.2 reuse an identical 12-byte GCM nonce for every application-data re

7.1HIGH

CVE-2026-5194

>= 3.12.0 and < 5.9.1

Missing hash/digest size and OID checks allow digests smaller than allowed when verifying ECDSA certificates, or smaller than is a

9.1CRITICAL

CVE-2026-5187

<= 5.9.0

Two potential heap out-of-bounds write locations existed in DecodeObjectId() in wolfcrypt/src/asn.c. First, a bounds check only va

9.8CRITICAL

CVE-2026-4159

< 5.9.0

1-byte OOB heap read in wc_PKCS7_DecodeEnvelopedData via zero-length encrypted content. A vulnerability existed in wolfSSL 5.8.4 a

3.3LOW

CVE-2026-4395

< 5.9.0

Heap-based buffer overflow in the KCAPI ECC code path of wc_ecc_import_x963_ex() in wolfSSL wolfcrypt allows a remote attacker to

9.8CRITICAL

CVE-2026-3849

>= 5.6.0 and < 5.9.0

Stack Buffer Overflow in wc_HpkeLabeledExtract via Oversized ECH Config. A vulnerability existed in wolfSSL 5.8.4 ECH (Encrypted C

9.8CRITICAL

CVE-2026-3549

< 5.9.0

Heap Overflow in TLS 1.3 ECH parsing. An integer underflow existed in ECH extension parsing logic when calculating a buffer length

9.8CRITICAL

CVE-2026-3547

< 5.9.0

Out-of-bounds read in ALPN parsing due to incomplete validation. wolfSSL 5.8.4 and earlier contained an out-of-bounds read in ALPN

7.5HIGH

CVE-2026-3230

< 5.9.0

Missing required cryptographic step in the TLS 1.3 client HelloRetryRequest handshake logic in wolfSSL could lead to a compromise

2.7LOW

CVE-2026-3229

< 5.9.0

An integer overflow vulnerability existed in the static function wolfssl_add_to_chain, that caused heap corruption when certificat

5.5MEDIUM

CVE-2026-3580

all versions

In wolfSSL 5.8.4, constant-time masking logic in sp_256_get_entry_256_9 is optimized into conditional branches (bnez) by GCC when

4.7MEDIUM

CVE-2026-3579

all versions

wolfSSL 5.8.4 on RISC-V RV32I architectures lacks a constant-time software implementation for 64-bit multiplication. The compiler-

5.9MEDIUM

CVE-2026-3503

>= 5.8.2 and < 5.9.0

Protection mechanism failure in wolfCrypt post-quantum implementations (ML-KEM and ML-DSA) in wolfSSL on ARM Cortex-M microcontrol

5.2MEDIUM

CVE-2026-3548

< 5.9.0

Two buffer overflow vulnerabilities existed in the wolfSSL CRL parser when parsing CRL numbers: a heap-based buffer overflow could

9.8CRITICAL

CVE-2026-2646

< 5.9.0

A heap-buffer-overflow vulnerability exists in wolfSSL's wolfSSL_d2i_SSL_SESSION() function. When deserializing session data with

8.1HIGH

CVE-2026-2645

< 5.8.4

In wolfSSL 5.8.2 and earlier, a logic flaw existed in the TLS 1.2 server state machine implementation. The server could incorrectl

7.5HIGH

CVE-2026-1005

<= 5.8.4

Integer underflow in wolfSSL packet sniffer <= 5.8.4 allows an attacker to cause a buffer overflow in the AEAD decryption path by

5.3MEDIUM

CVE-2026-0819

>= 5.5.0 and < 5.9.0

A stack buffer overflow vulnerability exists in wolfSSL's PKCS7 SignedData encoding functionality. In wc_PKCS7_BuildSignedAttribut

7.1HIGH

CVE-2025-12889

all versions

With TLS 1.2 connections a client can use any digest, specifically a weaker digest that is supported, rather than those in the Cer

5.4MEDIUM

CVE-2025-12888

all versions

Vulnerability in X25519 constant-time cryptographic implementations due to timing side channels introduced by compiler optimizatio

7.5HIGH

CVE-2025-11936

>= 5.8.2 and < 5.8.4

Improper input validation in the TLS 1.3 KeyShareEntry parsing in wolfSSL v5.8.2 on multiple platforms allows a remote unauthentic

5.3MEDIUM

CVE-2025-11934

>= 5.8.2 and < 5.8.4

Improper input validation in the TLS 1.3 CertificateVerify signature algorithm negotiation in wolfSSL 5.8.2 and earlier on multipl

2.7LOW

CVE-2025-11933

>= 5.8.2 and < 5.8.4

Improper Input Validation in the TLS 1.3 CKS extension parsing in wolfSSL 5.8.2 and earlier on multiple platforms allows a remote

6.5MEDIUM

CVE-2025-11932

all versions

The server previously verified the TLS 1.3 PSK binder using a non-constant time method which could potentially leak information ab

4.3MEDIUM

CVE-2025-11931

all versions

Integer Underflow Leads to Out-of-Bounds Access in XChaCha20-Poly1305 Decrypt. This issue is hit specifically with a call to the f

8.2HIGH

CVE-2025-11935

>= 5.8.2 and < 5.8.4

With TLS 1.3 pre-shared key (PSK) a malicious or faulty server could ignore the request for PFS (perfect forward secrecy) and the

7.5HIGH

CVE-2025-7396

all versions

In wolfSSL release 5.8.2 blinding support is turned on by default for Curve25519 in applicable builds. The blinding configure opti

4.6MEDIUM

CVE-2025-7394

>= 3.15.0 and <= 5.8.0

In the OpenSSL compatibility layer implementation, the function RAND_poll() was not behaving as expected and leading to the potent

9.8CRITICAL

CVE-2024-2881

all versions

Fault Injection vulnerability in wc_ed25519_sign_msg function in wolfssl/wolfcrypt/src/ed25519.c in WolfSSL wolfssl5.6.6 on Linux

6.7MEDIUM

CVE-2024-1545

all versions

Fault Injection vulnerability in RsaPrivateDecryption function in wolfssl/wolfcrypt/src/rsa.c in WolfSSL wolfssl5.6.6 on Linux/Win

5.9MEDIUM

CVE-2024-1543

< 5.6.6

The side-channel protected T-Table implementation in wolfSSL up to version 5.6.5 protects against a side-channel attacker with cac

4.1MEDIUM

CVE-2024-5991

<= 5.7.0

In function MatchDomainName(), input param str is treated as a NULL terminated string despite being user provided and unchecked. S

7.5HIGH

CVE-2024-5814

<= 5.7.0

A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and ac

5.3MEDIUM

CVE-2024-5288

< 5.7.2

An issue was discovered in wolfSSL before 5.7.0. A safe-error attack via Rowhammer, namely FAULT+PROBE, leads to ECDSA key disclos

5.1MEDIUM

CVE-2024-1544

< 5.7.2

Generating the ECDSA nonce k samples a random number r and then truncates this randomness with a modular reduction mod n where n

4.1MEDIUM

CVE-2024-0901

>= 3.12.2 and <= 5.6.6

Remotely executed SEGV and out of bounds read allows malicious packet sender to crash or cause an out of bounds read via sending a

7.5HIGH

CVE-2023-6936

< 5.6.6

In wolfSSL prior to 5.6.6, if callback functions are enabled (via the WOLFSSL_CALLBACKS flag), then a malicious TLS client or netw

5.3MEDIUM

CVE-2023-6937

< 5.6.6

wolfSSL prior to 5.6.6 did not check that messages in one (D)TLS record do not span key boundaries. As a result, it was possible t

5.3MEDIUM

CVE-2023-6935

>= 3.12.2 and <= 5.6.4

wolfSSL SP Math All RSA implementation is vulnerable to the Marvin Attack, new variation of a timing Bleichenbacher style attack,

5.9MEDIUM

CVE-2023-3724

< 5.6.2

If a TLS 1.3 client gets neither a PSK (pre shared key) extension nor a KSE (key share extension) when connecting to a malicious s

9.1CRITICAL

CVE-2022-42905

< 5.5.2

In wolfSSL before 5.5.2, if callback functions are enabled (via the WOLFSSL_CALLBACKS flag), then a malicious TLS 1.3 client or ne

9.1CRITICAL

CVE-2022-42961

< 5.5.0

An issue was discovered in wolfSSL before 5.5.0. A fault injection attack on RAM via Rowhammer leads to ECDSA key disclosure. User

5.3MEDIUM

CVE-2022-39173

< 5.5.1

In wolfSSL before 5.5.1, malicious clients can cause a buffer overflow during a TLS 1.3 handshake. This occurs when an attacker su

7.5HIGH

CVE-2021-44718

<= 5.0.0

wolfSSL through 5.0.0 allows an attacker to cause a denial of service and infinite loop in the client component by sending crafted

5.9MEDIUM

CVE-2022-38153

all versions

An issue was discovered in wolfSSL before 5.5.0 (when --enable-session-ticket is used); however, only version 5.3.0 is exploitable

5.9MEDIUM

CVE-2022-38152

< 5.5.0

An issue was discovered in wolfSSL before 5.5.0. When a TLS 1.3 client connects to a wolfSSL server and SSL_clear is called on its

7.5HIGH

CVE-2022-34293

< 5.4.0

wolfSSL before 5.4.0 allows remote attackers to cause a denial of service via DTLS because a check for return-routability can be s

7.5HIGH

CVE-2022-25640

< 5.2.0

In wolfSSL before 5.2.0, a TLS 1.3 server cannot properly enforce a requirement for mutual authentication. A client can simply omi

7.5HIGH

CVE-2022-25638

< 5.2.0

In wolfSSL before 5.2.0, certificate validation may be bypassed during attempted authentication by a TLS 1.3 client to a TLS 1.3 s

6.5MEDIUM

CVE-2022-23408

>= 5.0.0 and < 5.1.1

wolfSSL 5.x before 5.1.1 uses non-random IV values in certain situations. This affects connections (without AEAD) using AES-CBC or

9.1CRITICAL

CVE-2021-45939

all versions

wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow in MqttClient_DecodePacket (called from MqttClient_WaitType and MqttClient_S

5.5MEDIUM

CVE-2021-45938

all versions

wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow in MqttClient_DecodePacket (called from MqttClient_WaitType and MqttClient_U

5.5MEDIUM

CVE-2021-45937

all versions

wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow in MqttClient_DecodePacket (called from MqttClient_WaitType and MqttClient_C

5.5MEDIUM

CVE-2021-45936

all versions

wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow in MqttDecode_Disconnect (called from MqttClient_DecodePacket and MqttClient

5.5MEDIUM

CVE-2021-45934

all versions

wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow in MqttClient_DecodePacket (called from MqttClient_HandlePacket and MqttClie

5.5MEDIUM

CVE-2021-45933

all versions

wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow (8 bytes) in MqttDecode_Publish (called from MqttClient_DecodePacket and Mqt

5.5MEDIUM

CVE-2021-45932

all versions

wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow (4 bytes) in MqttDecode_Publish (called from MqttClient_DecodePacket and Mqt

5.5MEDIUM

CVE-2021-38597

< 4.8.1

wolfSSL before 4.8.1 incorrectly skips OCSP verification in certain situations of irrelevant response data that contains the NoChe

5.9MEDIUM

CVE-2021-37155

>= 4.6.0 and < 4.8.0

wolfSSL 4.6.x through 4.7.x before 4.8.0 does not produce a failure outcome when the serial number in an OCSP request differs from

9.8CRITICAL

CVE-2021-24116

< 4.6.0

In wolfSSL through 4.6.0, a side-channel vulnerability in base64 PEM file decoding allows system-level (administrator) attackers t

4.9MEDIUM

CVE-2021-3336

< 4.7.0

DoTls13CertificateVerify in tls13.c in wolfSSL before 4.7.0 does not cease processing for certain anomalous peer behavior (sending

8.1HIGH

CVE-2020-36177

< 4.6.0

RsaPad_PSS in wolfcrypt/src/rsa.c in wolfSSL before 4.6.0 has an out-of-bounds write for certain relationships between key size an

9.8CRITICAL

CVE-2020-24613

< 4.5.0

wolfSSL before 4.5.0 mishandles TLS 1.3 server data in the WAIT_CERT_CR state, within SanityCheckTls13MsgReceived() in tls13.c. Th

6.8MEDIUM

CVE-2020-24585

< 4.5.0

An issue was discovered in the DTLS handshake implementation in wolfSSL before 4.5.0. Clear DTLS application_data messages in epoc

5.3MEDIUM

CVE-2020-15309

< 4.5.0

An issue was discovered in wolfSSL before 4.5.0, when single precision is not employed. Local attackers can conduct a cache-timing

7.0HIGH

CVE-2020-12457

< 4.5.0

An issue was discovered in wolfSSL before 4.5.0. It mishandles the change_cipher_spec (CCS) message processing logic for TLS 1.3.

7.5HIGH

CVE-2020-11735

< 4.4.0

The private-key operations in ecc.c in wolfSSL before 4.4.0 do not use a constant-time modular inverse when mapping to affine coor

5.3MEDIUM

CVE-2020-11713

all versions

wolfSSL 4.3.0 has mulmod code in wc_ecc_mulmod_ex in ecc.c that does not properly resist timing side-channel attacks.

7.5HIGH

CVE-2014-2898

< 2.9.0

wolfSSL CyaSSL before 2.9.4 allows remote attackers to have unspecified impact via multiple calls to the CyaSSL_read function whic

9.8CRITICAL

CVE-2014-2897

>= 2.5.0 and < 2.9.4

The SSL 3 HMAC functionality in wolfSSL CyaSSL 2.5.0 before 2.9.4 does not check the padding length when verification fails, which

9.8CRITICAL

CVE-2014-2896

>= 2.5.0 and < 2.9.4

The DoAlert function in the (1) TLS and (2) DTLS implementations in wolfSSL CyaSSL before 2.9.4 allows remote attackers to have un

9.8CRITICAL

CVE-2019-19963

< 4.3.0

An issue was discovered in wolfSSL before 4.3.0 in a non-default configuration where DSA is enabled. DSA signing uses the BEEA alg

5.3MEDIUM

CVE-2019-19962

< 4.3.0

wolfSSL before 4.3.0 mishandles calls to wc_SignatureGenerateHash, leading to fault injection in RSA cryptography.

7.5HIGH

CVE-2019-19960

< 4.3.0

In wolfSSL before 4.3.0, wc_ecc_mulmod_ex does not properly resist side-channel attacks.

5.3MEDIUM

CVE-2019-14317

< 4.2.0

wolfSSL and wolfCrypt 4.1.0 and earlier (formerly known as CyaSSL) generate biased DSA nonces. This allows a remote attacker to co

5.3MEDIUM

CVE-2014-2904

< 3.2.0

wolfssl before 3.2.0 has a server certificate that is not properly authorized for server authentication.

7.5HIGH

CVE-2014-2902

< 3.2.0

wolfssl before 3.2.0 does not properly authorize CA certificate for signing other certificates.

7.5HIGH

CVE-2014-2901

< 3.2.0

wolfssl before 3.2.0 does not properly issue certificates for a server's hostname.

7.5HIGH

CVE-2019-18840

>= 4.1.0 and <= 4.2.0c

In wolfSSL 4.1.0 through 4.2.0c, there are missing sanity checks of memory accesses in parsing ASN.1 certificate data while handsh

7.5HIGH

CVE-2019-13628

<= 4.0.0

wolfSSL and wolfCrypt 4.0.0 and earlier (when configured without --enable-fpecc, --enable-sp, or --enable-sp-math) contain a timin

4.7MEDIUM

CVE-2019-16748

<= 4.1.0

In wolfSSL through 4.1.0, there is a missing sanity check of memory accesses in parsing ASN.1 certificate data while handshaking.

9.8CRITICAL

CVE-2019-15651

all versions

wolfSSL 4.1.0 has a one-byte heap-based buffer over-read in DecodeCertExtensions in wolfcrypt/src/asn.c because reading the ASN_BO

9.8CRITICAL

CVE-2019-11873

all versions

wolfSSL 4.0.0 has a Buffer Overflow in DoPreSharedKeys in tls13.c when a current identity size is greater than a client identity s

9.8CRITICAL

CVE-2019-6439

<= 3.15.7

examples/benchmark/tls_bench.c in a benchmark tool in wolfSSL through 3.15.7 has a heap-based buffer overflow.

9.8CRITICAL

CVE-2018-16870

< 3.15.7

It was found that wolfssl before 3.15.7 is vulnerable to a new variant of the Bleichenbacher attack to perform downgrade attacks a

5.9MEDIUM

CVE-2018-12436

< 3.15.3

wolfcrypt/src/ecc.c in wolfSSL before 3.15.1.patch allows a memory-cache side-channel attack on ECDSA signatures, aka the Return O

4.7MEDIUM

CVE-2017-13099

< 3.12.2

wolfSSL prior to version 3.12.2 provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiat

7.5HIGH

CVE-2014-2903

<= 2.9.4

CyaSSL does not check the key usage extension in leaf certificates, which allows remote attackers to spoof servers via a crafted s

5.9MEDIUM

CVE-2017-2800

<= 3.10.2

A specially crafted x509 certificate can cause a single out of bounds byte overwrite in wolfSSL through 3.10.2 resulting in potent

9.8CRITICAL

CVE-2017-8855

<= 3.10.4

wolfSSL before 3.11.0 does not prevent wc_DhAgree from accepting a malformed DH key.

7.5HIGH

CVE-2017-8854

<= 3.10.0a

wolfSSL before 3.10.2 has an out-of-bounds memory access with loading crafted DH parameters, aka a buffer overflow triggered by a

7.8HIGH

CVE-2017-6076

< 3.10.2

In versions of wolfSSL before 3.10.2 the function fp_mul_comba makes it easier to extract RSA key information for a malicious user

5.5MEDIUM

CVE-2016-7440

< 3.9.10

The C software implementation of AES Encryption and Decryption in wolfSSL (formerly CyaSSL) before 3.9.10 makes it easier for loca

5.5MEDIUM

CVE-2016-7439

<= 3.9.8

The C software implementation of RSA in wolfSSL (formerly CyaSSL) before 3.9.10 makes it easier for local users to discover RSA ke

5.5MEDIUM

CVE-2016-7438

<= 3.9.8

The C software implementation of ECC in wolfSSL (formerly CyaSSL) before 3.9.10 makes it easier for local users to discover RSA ke

5.5MEDIUM

CVE-2015-7744

< 3.6.8

wolfSSL (formerly CyaSSL) before 3.6.8 does not properly handle faults associated with the Chinese Remainder Theorem (CRT) process

5.9MEDIUM

CVE-2015-6925

<= 3.6.6

wolfSSL (formerly CyaSSL) before 3.6.8 allows remote attackers to cause a denial of service (resource consumption or traffic ampli

7.5HIGH

CVE-2009-4484

< 1.9.9

Multiple stack-based buffer overflows in the CertDecoder::GetName function in src/asn.cpp in TaoCrypt in yaSSL before 1.9.9, as us