Skip to main content

wolfSSL CVE-2026-7531

| EUVDEUVD-2026-39554 LOW
Use After Free (CWE-416)
2026-06-25 facts@wolfssl.com GHSA-w9rp-wwm2-fwmr
2.3
CVSS 4.0 · Vendor: wolfssl

Severity by source

Vendor (wolfssl) PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.1 LOW

Attacker controls the server so AV:N and PR:N; non-default PQC hybrid build and client-initiated connection required so AC:H and UI:R; only client availability impacted at low severity.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L
4.0 AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (wolfssl).

CVSS VectorVendor: wolfssl

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 25, 2026 - 20:31 vuln.today
Analysis Generated
Jun 25, 2026 - 20:31 vuln.today

DescriptionCVE.org

Use-after-free in PQC hybrid key-share handling. This is an incomplete-fix follow-up to CVE-2026-5460 (released in 5.9.1): a malicious TLS 1.3 server sending a truncated PQC hybrid KeyShare can still trigger the error cleanup path to operate on freed memory.

AnalysisAI

Use-after-free in wolfSSL's TLS 1.3 PQC hybrid KeyShare processing exposes clients built with post-quantum hybrid support to a crash or memory corruption when connecting to a malicious server. This is a bypass of the incomplete fix for CVE-2026-5460 shipped in 5.9.1 - the pointer alias between keyShareEntry->key and ecc_kse->key in TLSX_KeyShare_ProcessPqcHybridClient is not re-synchronized after the inner ECC processing function frees its copy, leaving a dangling pointer that TLSX_KeyShare_FreeAll later passes to wc_ecc_free and XFREE. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Operate malicious TLS 1.3 server
Delivery
Redirect or lure PQC-hybrid-enabled wolfSSL client to connect
Exploit
Serve SECP256R1MLKEM768 ServerHello with invalid X9.63 ECDH marker
Install
wc_ecc_import_x963 fails after ProcessEcc_ex frees aliased key pointer
C2
keyShareEntry->key left dangling
Execute
wolfSSL_free triggers use-after-free in TLSX_KeyShare_FreeAll
Impact
Client process crash or heap corruption

Vulnerability AssessmentAI

Exploitation Exploitation requires the wolfSSL client binary to be compiled with all of the following non-default build flags simultaneously: WOLFSSL_TLS13 (TLS 1.3 enabled), WOLFSSL_HAVE_MLKEM (ML-KEM support), WOLFSSL_PQC_HYBRIDS (PQC hybrid groups enabled), NO_ML_KEM_768 not defined (ML-KEM-768 permitted), HAVE_ECC and NO_ECC_SECP not set (SECP curves available), and WOLFSSL_MLKEM_NO_DECAPSULATE and WOLFSSL_MLKEM_NO_MAKE_KEY not defined. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 2.3 accurately characterizes this as a low-severity, low-priority issue in the absence of other signals. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker operating a malicious TLS 1.3 server - or positioned to intercept a client connection via DNS hijacking or BGP hijack - presents a ServerHello with a SECP256R1MLKEM768 KeyShare whose 65-byte ECDH portion uses the invalid X9.63 leading byte 0x05 (valid markers are 0x04, 0x06, 0x07) while keeping the total key_exchange length correct (1153 bytes). The wolfSSL client's wc_ecc_import_x963 rejects the malformed point after ProcessEcc_ex has already freed the aliased key pointer, leaving keyShareEntry->key dangling; the subsequent wolfSSL_free call then crashes the client process via use-after-free and double-free in TLSX_KeyShare_FreeAll.
Remediation Apply the upstream fix from GitHub PR #10327 (https://github.com/wolfSSL/wolfssl/pull/10327) once a tagged release incorporating it becomes available; a specific patched release version is not confirmed in the available data - monitor https://www.wolfssl.com/docs/security-vulnerabilities/ for an official release announcement. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2017-13099 HIGH POC
7.5 Dec 13

wolfSSL prior to version 3.12.2 provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange i

CVE-2017-2800 CRITICAL POC
9.8 May 24

A specially crafted x509 certificate can cause a single out of bounds byte overwrite in wolfSSL through 3.10.2 resulting

CVE-2015-6925 HIGH POC
7.5 Jan 22

wolfSSL (formerly CyaSSL) before 3.6.8 allows remote attackers to cause a denial of service (resource consumption or tra

CVE-2022-39173 HIGH POC
7.5 Sep 29

In wolfSSL before 5.5.1, malicious clients can cause a buffer overflow during a TLS 1.3 handshake. Rated high severity (

CVE-2022-38152 HIGH POC
7.5 Aug 31

An issue was discovered in wolfSSL before 5.5.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploita

CVE-2020-11713 HIGH POC
7.5 Apr 12

wolfSSL 4.3.0 has mulmod code in wc_ecc_mulmod_ex in ecc.c that does not properly resist timing side-channel attacks. Ra

CVE-2019-18840 HIGH POC
7.5 Nov 09

In wolfSSL 4.1.0 through 4.2.0c, there are missing sanity checks of memory accesses in parsing ASN.1 certificate data wh

CVE-2020-15309 HIGH POC
7.0 Aug 21

An issue was discovered in wolfSSL before 4.5.0, when single precision is not employed. Rated high severity (CVSS 7.0).

CVE-2020-24613 MEDIUM POC
6.8 Aug 24

wolfSSL before 4.5.0 mishandles TLS 1.3 server data in the WAIT_CERT_CR state, within SanityCheckTls13MsgReceived() in t

CVE-2015-7744 MEDIUM POC
5.9 Jan 22

wolfSSL (formerly CyaSSL) before 3.6.8 does not properly handle faults associated with the Chinese Remainder Theorem (CR

CVE-2022-38153 MEDIUM POC
5.9 Aug 31

An issue was discovered in wolfSSL before 5.5.0 (when --enable-session-ticket is used); however, only version 5.3.0 is e

CVE-2021-37155 CRITICAL
9.8 Jul 21

wolfSSL 4.6.x through 4.7.x before 4.8.0 does not produce a failure outcome when the serial number in an OCSP request di

Share

CVE-2026-7531 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy