Skip to main content

Wolfssl CVE-2026-5460

| EUVDEUVD-2026-21240 MEDIUM
Use After Free (CWE-416)
2026-04-10 facts@wolfssl.com GHSA-w87p-fqgx-cqq8
6.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
5.9.1
EUVD ID Assigned
Apr 10, 2026 - 00:22 euvd
EUVD-2026-21240
Analysis Generated
Apr 10, 2026 - 00:22 vuln.today
CVE Published
Apr 10, 2026 - 00:16 nvd
MEDIUM 6.3

DescriptionCVE.org

A heap use-after-free exists in wolfSSL's TLS 1.3 post-quantum cryptography (PQC) hybrid KeyShare processing. In the error handling path of TLSX_KeyShare_ProcessPqcHybridClient() in src/tls.c, the inner function TLSX_KeyShare_ProcessPqcClient_ex() frees a KyberKey object upon encountering an error. The caller then invokes TLSX_KeyShare_FreeAll(), which attempts to call ForceZero() on the already-freed KyberKey, resulting in writes of zero bytes over freed heap memory.

AnalysisAI

Heap use-after-free in wolfSSL's TLS 1.3 post-quantum cryptography hybrid KeyShare processing allows unauthenticated remote attackers to corrupt heap memory and potentially disclose information. The vulnerability occurs when TLSX_KeyShare_ProcessPqcHybridClient() error handling prematurely frees a KyberKey object in src/tls.c, and the caller's subsequent TLSX_KeyShare_FreeAll() invocation writes zero bytes to already-freed memory. CVSS 6.3 reflects low integrity and availability impact; exploitation requires precise network timing (AT:P). No public exploit identified at time of analysis, but the underlying use-after-free pattern is a known attack vector in memory-unsafe code.

Technical ContextAI

WolfSSL implements hybrid post-quantum cryptography (PQC) for TLS 1.3 by combining classical elliptic-curve cryptography with lattice-based algorithms like Kyber. The vulnerability lies in the interaction between two error-handling paths in src/tls.c: TLSX_KeyShare_ProcessPqcHybridClient() calls the internal function TLSX_KeyShare_ProcessPqcClient_ex(), which frees heap-allocated KyberKey objects on error conditions. The caller then invokes TLSX_KeyShare_FreeAll(), a generic cleanup function that attempts to zero-out (via ForceZero()) all cryptographic material in the KeyShare structure, including already-freed KyberKey pointers. This classic use-after-free (CWE-416) pattern occurs because the freed object is not nullified before the second deallocation attempt, allowing writes to recycled heap memory. The vulnerability is specific to PQC hybrid cipher suites negotiated during the TLS 1.3 handshake, requiring the attacker to trigger the error path in TLSX_KeyShare_ProcessPqcClient_ex().

RemediationAI

Apply the patch available in wolfSSL GitHub pull request #10092 (https://github.com/wolfssl/wolfssl/pull/10092). The fix ensures that freed KyberKey objects are nullified or properly tracked to prevent double-free attempts in TLSX_KeyShare_FreeAll(). Users should upgrade to the patched version once released by wolfSSL. If immediate patching is not feasible, disable TLS 1.3 PQC hybrid cipher suites in production deployments by excluding post-quantum key-share negotiation from TLS configurations, though this sacrifices post-quantum security benefits. Contact wolfSSL (facts@wolfssl.com) for the exact patched version number and timeline.

CVE-2017-13099 HIGH POC
7.5 Dec 13

wolfSSL prior to version 3.12.2 provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange i

CVE-2017-2800 CRITICAL POC
9.8 May 24

A specially crafted x509 certificate can cause a single out of bounds byte overwrite in wolfSSL through 3.10.2 resulting

CVE-2015-6925 HIGH POC
7.5 Jan 22

wolfSSL (formerly CyaSSL) before 3.6.8 allows remote attackers to cause a denial of service (resource consumption or tra

CVE-2022-39173 HIGH POC
7.5 Sep 29

In wolfSSL before 5.5.1, malicious clients can cause a buffer overflow during a TLS 1.3 handshake. Rated high severity (

CVE-2022-38152 HIGH POC
7.5 Aug 31

An issue was discovered in wolfSSL before 5.5.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploita

CVE-2020-11713 HIGH POC
7.5 Apr 12

wolfSSL 4.3.0 has mulmod code in wc_ecc_mulmod_ex in ecc.c that does not properly resist timing side-channel attacks. Ra

CVE-2019-18840 HIGH POC
7.5 Nov 09

In wolfSSL 4.1.0 through 4.2.0c, there are missing sanity checks of memory accesses in parsing ASN.1 certificate data wh

CVE-2020-15309 HIGH POC
7.0 Aug 21

An issue was discovered in wolfSSL before 4.5.0, when single precision is not employed. Rated high severity (CVSS 7.0).

CVE-2020-24613 MEDIUM POC
6.8 Aug 24

wolfSSL before 4.5.0 mishandles TLS 1.3 server data in the WAIT_CERT_CR state, within SanityCheckTls13MsgReceived() in t

CVE-2015-7744 MEDIUM POC
5.9 Jan 22

wolfSSL (formerly CyaSSL) before 3.6.8 does not properly handle faults associated with the Chinese Remainder Theorem (CR

CVE-2022-38153 MEDIUM POC
5.9 Aug 31

An issue was discovered in wolfSSL before 5.5.0 (when --enable-session-ticket is used); however, only version 5.3.0 is e

CVE-2021-37155 CRITICAL
9.8 Jul 21

wolfSSL 4.6.x through 4.7.x before 4.8.0 does not produce a failure outcome when the serial number in an OCSP request di

Share

CVE-2026-5460 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy