Wolfssl

By the Year

In 2026 there have been 41 vulnerabilities in Wolfssl with an average score of 7.5 out of ten. Last year, in 2025 Wolfssl had 12 security vulnerabilities published. That is, 29 more vulnerabilities have already been reported in 2026 as compared to last year.

Recent Wolfssl Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-0930	Apr 20, 2026	Out-of-bounds read in wolfSSHd on Windows pseudo-console Potential read out of bounds case with wolfSSHd on Windows while handling a terminal resize request. An authenticated user could trigger the out of bounds read after establishing a connection which would leak the adjacent stack memory to the pseudo-console output.
CVE-2026-5477	Apr 10, 2026	Integer Overflow in wolfCrypt CMAC Enables Tag Forgery An integer overflow existed in the wolfCrypt CMAC implementation, that could be exploited to forge CMAC tags. The function wc_CmacUpdate used the guard `if (cmac->totalSz != 0)` to skip XOR-chaining on the first block (where digest is all-zeros and the XOR is a no-op). However, totalSz is word32 and wraps to zero after 2^28 block flushes (4 GiB), causing the guard to erroneously discard the live CBC-MAC chain state. Any two messages sharing a common suffix beyond the 4 GiB mark then produce identical CMAC tags, enabling a zero-work prefix-substitution forgery. The fix removes the guard, making the XOR unconditional; the no-op property on the first block is preserved because digest is zero-initialized by wc_InitCmac_ex.	Wolfssl
CVE-2026-5188	Apr 10, 2026	wolfSSL SAN Extension Integer Underflow in Certificate Parsing An integer underflow issue exists in wolfSSL when parsing the Subject Alternative Name (SAN) extension of X.509 certificates. A malformed certificate can specify an entry length larger than the enclosing sequence, causing the internal length counter to wrap during parsing. This results in incorrect handling of certificate data. The issue is limited to configurations using the original ASN.1 parsing implementation which is off by default.	Wolfssl
CVE-2026-5500	Apr 10, 2026	wolfSSL wc_PKCS7 DAE Auth Tag Length Bypass AES-GCM MAC Truncation wolfSSL's wc_PKCS7_DecodeAuthEnvelopedData() does not properly sanitize the AES-GCM authentication tag length received and has no lower bounds check. A man-in-the-middle can therefore truncate the mac field from 16 bytes to 1 byte, reducing the tag check from 2¹² to 2.	Wolfssl
CVE-2026-5501	Apr 10, 2026	wolfSSL OpenSSL API: X509 leaf sign bypass via X509_verify_cert wolfSSL_X509_verify_cert in the OpenSSL compatibility layer accepts a certificate chain in which the leaf's signature is not checked, if the attacker supplies an untrusted intermediate with Basic Constraints `CA:FALSE` that is legitimately signed by a trusted root. An attacker who obtains any leaf certificate from a trusted CA (e.g. a free DV cert from Let's Encrypt) can forge a certificate for any subject name with any public key and arbitrary signature bytes, and the function returns `WOLFSSL_SUCCESS` / `X509_V_OK`. The native wolfSSL TLS handshake path (`ProcessPeerCerts`) is not susceptible and the issue is limited to applications using the OpenSSL compatibility API directly, which would include integrations of wolfSSL into nginx and haproxy.	Wolfssl
CVE-2026-5466	Apr 10, 2026	wolfSSL ECCSI verifier bypass via unchecked scalars wolfSSL's ECCSI signature verifier `wc_VerifyEccsiHash` decodes the `r` and `s` scalars from the signature blob via `mp_read_unsigned_bin` with no check that they lie in `[1, q-1]`. A crafted forged signature could verify against any message for any identity, using only publicly-known constants.	Wolfssl
CVE-2026-5479	Apr 10, 2026	wolfSSL ChaCha20-Poly1305 AEAD Auth Tag Check Bypass In wolfSSL's EVP layer, the ChaCha20-Poly1305 AEAD decryption path in wolfSSL_EVP_CipherFinal (and related EVP cipher finalization functions) fails to verify the authentication tag before returning plaintext to the caller. When an application uses the EVP API to perform ChaCha20-Poly1305 decryption, the implementation computes or accepts the tag but does not compare it against the expected value.	Wolfssl
CVE-2026-5460	Apr 09, 2026	WolfSSL heap use-after-free in TLS1.3 PQC hybrid keyshare A heap use-after-free exists in wolfSSL's TLS 1.3 post-quantum cryptography (PQC) hybrid KeyShare processing. In the error handling path of TLSX_KeyShare_ProcessPqcHybridClient() in src/tls.c, the inner function TLSX_KeyShare_ProcessPqcClient_ex() frees a KyberKey object upon encountering an error. The caller then invokes TLSX_KeyShare_FreeAll(), which attempts to call ForceZero() on the already-freed KyberKey, resulting in writes of zero bytes over freed heap memory.	Wolfssl
CVE-2026-5448	Apr 09, 2026	wolfSSL X.509 Date Buffer Overflow in Compat. Layer API X.509 date buffer overflow in wolfSSL_X509_notAfter / wolfSSL_X509_notBefore. A buffer overflow may occur when parsing date fields from a crafted X.509 certificate via the compatibility layer API. This is only triggered when calling these two APIs directly from an application, and does not affect TLS or certificate verify operations in wolfSSL.	Wolfssl
CVE-2026-5392	Apr 09, 2026	Out-of-Bounds Read in wolfSSL PKCS7 Parsing Heap out-of-bounds read in PKCS7 parsing. A crafted PKCS7 message can trigger an OOB read on the heap. The missing bounds check is in the indefinite-length end-of-content verification loop in PKCS7_VerifySignedData().	Wolfssl