Skip to main content

wolfSSL CVE-2026-10097

| EUVDEUVD-2026-39553 HIGH
Use of a Broken or Risky Cryptographic Algorithm (CWE-327)
2026-06-25 facts@wolfssl.com GHSA-hcgc-hfp6-58v4
8.3
CVSS 4.0 · Vendor: wolfssl
Share

Severity by source

Vendor (wolfssl) PRIMARY
8.3 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network-reachable decapsulation oracle (AV:N, PR:N) but exploitation needs an adaptive chosen-ciphertext attack with many queries (AC:H); shared-secret recovery yields C:H with limited integrity impact (I:L).

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (wolfssl).

CVSS VectorVendor: wolfssl

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
Jun 26, 2026 - 17:29 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 26, 2026 - 17:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 26, 2026 - 17:22 vuln.today
cvss_changed
Severity Changed
Jun 26, 2026 - 17:22 NVD
MEDIUM HIGH
CVSS changed
Jun 26, 2026 - 17:22 NVD
6.3 (MEDIUM) 8.3 (HIGH)
Source Code Evidence Fetched
Jun 25, 2026 - 20:31 vuln.today
Analysis Generated
Jun 25, 2026 - 20:31 vuln.today

DescriptionCVE.org

ML-KEM-1024 x64 AVX2 implicit rejection failure in the Fujisaki-Okamoto transform breaks IND-CCA2 security, allowing decapsulation to deviate from the implicit-rejection behavior required by the standard. The AVX2 constant-time ciphertext comparison used during decapsulation never compared the final 32-byte block of the 1568-byte ML-KEM-1024 ciphertext, so a ciphertext manipulated only in those final bytes would compare as equal and decapsulation returned the real shared secret instead of performing the required implicit rejection.

AnalysisAI

Cryptographic decapsulation flaw in wolfSSL's ML-KEM-1024 (Kyber) x86-64 AVX2 code path (versions 5.7.0 through 5.9.1) breaks IND-CCA2 security by failing to compare the final 32-byte block of the 1568-byte ciphertext during the constant-time check, so the Fujisaki-Okamoto transform's mandatory implicit rejection is bypassed. An attacker acting as a chosen-ciphertext oracle can submit ciphertexts altered only in those trailing bytes and have decapsulation return the genuine shared secret rather than a rejection value. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Initiate ML-KEM-1024 KEM with wolfSSL AVX2 peer
Delivery
Tamper only final 32 ciphertext bytes
Exploit
Submit to AVX2 decapsulation oracle
Execution
Comparison skips block, returns real secret
Persist
Adaptively repeat to recover shared secret
Impact
Decrypt protected session data

Vulnerability AssessmentAI

Exploitation Requires the target to run wolfSSL 5.7.0-5.9.1 built with the x86-64 AVX2 ML-KEM assembly and to use the ML-KEM-1024 parameter set (1568-byte ciphertext) for decapsulation; the defect lives in that AVX2 comparison path and the specific trailing 32-byte (offset 1536-1568) block. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mostly aligned toward a serious-but-not-urgent cryptographic weakness. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker negotiates a TLS or other key-exchange handshake using ML-KEM-1024 against a wolfSSL 5.7.0-5.9.1 peer running the AVX2 build, then repeatedly submits ciphertexts that are valid except for tampering confined to the final 32 bytes. Because decapsulation skips comparing that block, the server returns the real shared secret instead of implicitly rejecting, giving the attacker a CCA2 oracle that can be used in an adaptive attack to recover the session's shared secret. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - apply the change from wolfSSL pull request https://github.com/wolfSSL/wolfssl/pull/10430, which extends the AVX2 _mlkem_cmp_avx2 routine to compare the final 32-byte block, and watch the wolfSSL security advisories page (https://www.wolfssl.com/docs/security-vulnerabilities/) for the tagged release succeeding 5.9.1 to upgrade to it once published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all production systems running wolfSSL 5.7.0-5.9.1 with Kyber enabled (verify with wolfssl --version and audit active TLS cipher suites). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2017-13099 HIGH POC
7.5 Dec 13

wolfSSL prior to version 3.12.2 provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange i

CVE-2017-2800 CRITICAL POC
9.8 May 24

A specially crafted x509 certificate can cause a single out of bounds byte overwrite in wolfSSL through 3.10.2 resulting

CVE-2015-6925 HIGH POC
7.5 Jan 22

wolfSSL (formerly CyaSSL) before 3.6.8 allows remote attackers to cause a denial of service (resource consumption or tra

CVE-2022-39173 HIGH POC
7.5 Sep 29

In wolfSSL before 5.5.1, malicious clients can cause a buffer overflow during a TLS 1.3 handshake. Rated high severity (

CVE-2022-38152 HIGH POC
7.5 Aug 31

An issue was discovered in wolfSSL before 5.5.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploita

CVE-2020-11713 HIGH POC
7.5 Apr 12

wolfSSL 4.3.0 has mulmod code in wc_ecc_mulmod_ex in ecc.c that does not properly resist timing side-channel attacks. Ra

CVE-2019-18840 HIGH POC
7.5 Nov 09

In wolfSSL 4.1.0 through 4.2.0c, there are missing sanity checks of memory accesses in parsing ASN.1 certificate data wh

CVE-2020-15309 HIGH POC
7.0 Aug 21

An issue was discovered in wolfSSL before 4.5.0, when single precision is not employed. Rated high severity (CVSS 7.0).

CVE-2020-24613 MEDIUM POC
6.8 Aug 24

wolfSSL before 4.5.0 mishandles TLS 1.3 server data in the WAIT_CERT_CR state, within SanityCheckTls13MsgReceived() in t

CVE-2015-7744 MEDIUM POC
5.9 Jan 22

wolfSSL (formerly CyaSSL) before 3.6.8 does not properly handle faults associated with the Chinese Remainder Theorem (CR

CVE-2022-38153 MEDIUM POC
5.9 Aug 31

An issue was discovered in wolfSSL before 5.5.0 (when --enable-session-ticket is used); however, only version 5.3.0 is e

CVE-2021-37155 CRITICAL
9.8 Jul 21

wolfSSL 4.6.x through 4.7.x before 4.8.0 does not produce a failure outcome when the serial number in an OCSP request di

Share

CVE-2026-10097 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy