Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable decapsulation oracle (AV:N, PR:N) but exploitation needs an adaptive chosen-ciphertext attack with many queries (AC:H); shared-secret recovery yields C:H with limited integrity impact (I:L).
Primary rating from Vendor (wolfssl).
CVSS VectorVendor: wolfssl
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
ML-KEM-1024 x64 AVX2 implicit rejection failure in the Fujisaki-Okamoto transform breaks IND-CCA2 security, allowing decapsulation to deviate from the implicit-rejection behavior required by the standard. The AVX2 constant-time ciphertext comparison used during decapsulation never compared the final 32-byte block of the 1568-byte ML-KEM-1024 ciphertext, so a ciphertext manipulated only in those final bytes would compare as equal and decapsulation returned the real shared secret instead of performing the required implicit rejection.
AnalysisAI
Cryptographic decapsulation flaw in wolfSSL's ML-KEM-1024 (Kyber) x86-64 AVX2 code path (versions 5.7.0 through 5.9.1) breaks IND-CCA2 security by failing to compare the final 32-byte block of the 1568-byte ciphertext during the constant-time check, so the Fujisaki-Okamoto transform's mandatory implicit rejection is bypassed. An attacker acting as a chosen-ciphertext oracle can submit ciphertexts altered only in those trailing bytes and have decapsulation return the genuine shared secret rather than a rejection value. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires the target to run wolfSSL 5.7.0-5.9.1 built with the x86-64 AVX2 ML-KEM assembly and to use the ML-KEM-1024 parameter set (1568-byte ciphertext) for decapsulation; the defect lives in that AVX2 comparison path and the specific trailing 32-byte (offset 1536-1568) block. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mostly aligned toward a serious-but-not-urgent cryptographic weakness. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker negotiates a TLS or other key-exchange handshake using ML-KEM-1024 against a wolfSSL 5.7.0-5.9.1 peer running the AVX2 build, then repeatedly submits ciphertexts that are valid except for tampering confined to the final 32 bytes. Because decapsulation skips comparing that block, the server returns the real shared secret instead of implicitly rejecting, giving the attacker a CCA2 oracle that can be used in an adaptive attack to recover the session's shared secret. … |
| Remediation | Upstream fix available (PR/commit); released patched version not independently confirmed - apply the change from wolfSSL pull request https://github.com/wolfSSL/wolfssl/pull/10430, which extends the AVX2 _mlkem_cmp_avx2 routine to compare the final 32-byte block, and watch the wolfSSL security advisories page (https://www.wolfssl.com/docs/security-vulnerabilities/) for the tagged release succeeding 5.9.1 to upgrade to it once published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all production systems running wolfSSL 5.7.0-5.9.1 with Kyber enabled (verify with wolfssl --version and audit active TLS cipher suites). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
wolfSSL prior to version 3.12.2 provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange i
A specially crafted x509 certificate can cause a single out of bounds byte overwrite in wolfSSL through 3.10.2 resulting
wolfSSL (formerly CyaSSL) before 3.6.8 allows remote attackers to cause a denial of service (resource consumption or tra
In wolfSSL before 5.5.1, malicious clients can cause a buffer overflow during a TLS 1.3 handshake. Rated high severity (
An issue was discovered in wolfSSL before 5.5.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploita
wolfSSL 4.3.0 has mulmod code in wc_ecc_mulmod_ex in ecc.c that does not properly resist timing side-channel attacks. Ra
In wolfSSL 4.1.0 through 4.2.0c, there are missing sanity checks of memory accesses in parsing ASN.1 certificate data wh
An issue was discovered in wolfSSL before 4.5.0, when single precision is not employed. Rated high severity (CVSS 7.0).
wolfSSL before 4.5.0 mishandles TLS 1.3 server data in the WAIT_CERT_CR state, within SanityCheckTls13MsgReceived() in t
wolfSSL (formerly CyaSSL) before 3.6.8 does not properly handle faults associated with the Chinese Remainder Theorem (CR
An issue was discovered in wolfSSL before 5.5.0 (when --enable-session-ticket is used); however, only version 5.3.0 is e
wolfSSL 4.6.x through 4.7.x before 4.8.0 does not produce a failure outcome when the serial number in an OCSP request di
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39553
GHSA-hcgc-hfp6-58v4