Severity by source
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local access and high complexity required to accumulate over 64 GiB in one session; only partial confidentiality impact via keystream reuse, no integrity or availability impact.
Primary rating from Vendor (wolfSSL).
CVSS VectorVendor: wolfSSL
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
AES-GCM encryption/decryption with extremely large cumulative single message sizes (>64 GiB) were not properly rejected by the streaming APIs, allowing counter wrap, keystream reuse, and consequent plaintext recovery.
AnalysisAI
Keystream reuse in wolfSSL's streaming AES-GCM API exposes ciphertext to partial plaintext recovery when a single session accumulates more than 64 GiB of data, violating NIST SP 800-38D counter limits due to unguarded internal counter wrap. All wolfSSL versions are affected per wildcard CPE (cpe:2.3:a:wolfssl:wolfssl:*:*:*:*:*:*:*:*), with the flaw present in both AES-GCM and AES-CCM streaming paths. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | All of the following must hold simultaneously: (1) the target application invokes wolfSSL's raw streaming AES-GCM API directly - specifically wc_AesGcmEncryptUpdate or wc_AesGcmDecryptUpdate - rather than wolfSSL's TLS record layer, which never presents records large enough to reach this code path; (2) a single uninterrupted streaming session accumulates cumulative plaintext or ciphertext exceeding either the word32 byte-count overflow boundary (~4 GiB) or the NIST SP 800-38D block counter limit (~64 GiB), whichever the internal tracking reaches first; (3) the attacker holds local access with at least low privileges (PR:L per the provided CVSS 4.0 vector) and can observe the resulting ciphertexts from at least two overlapping keystream-reuse regions. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 2.0 (AV:L/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N) accurately reflects the very low real-world priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with local access and control over an application that uses wolfSSL's raw streaming AES-GCM API submits more than 64 GiB of data in a single streaming encryption or decryption session, triggering the internal counter wrap. By capturing two ciphertexts produced from the reused keystream, the attacker XORs them together to recover the XOR of the corresponding plaintexts, achieving partial plaintext recovery. … |
| Remediation | Apply the fix from wolfSSL GitHub PR #10709 (https://github.com/wolfSSL/wolfssl/pull/10709), which adds counter-overflow guards to both AES-GCM and AES-CCM streaming encrypt and decrypt paths. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
wolfSSL prior to version 3.12.2 provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange i
A specially crafted x509 certificate can cause a single out of bounds byte overwrite in wolfSSL through 3.10.2 resulting
wolfSSL (formerly CyaSSL) before 3.6.8 allows remote attackers to cause a denial of service (resource consumption or tra
In wolfSSL before 5.5.1, malicious clients can cause a buffer overflow during a TLS 1.3 handshake. Rated high severity (
An issue was discovered in wolfSSL before 5.5.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploita
wolfSSL 4.3.0 has mulmod code in wc_ecc_mulmod_ex in ecc.c that does not properly resist timing side-channel attacks. Ra
In wolfSSL 4.1.0 through 4.2.0c, there are missing sanity checks of memory accesses in parsing ASN.1 certificate data wh
An issue was discovered in wolfSSL before 4.5.0, when single precision is not employed. Rated high severity (CVSS 7.0).
wolfSSL before 4.5.0 mishandles TLS 1.3 server data in the WAIT_CERT_CR state, within SanityCheckTls13MsgReceived() in t
wolfSSL (formerly CyaSSL) before 3.6.8 does not properly handle faults associated with the Chinese Remainder Theorem (CR
An issue was discovered in wolfSSL before 5.5.0 (when --enable-session-ticket is used); however, only version 5.3.0 is e
wolfSSL 4.6.x through 4.7.x before 4.8.0 does not produce a failure outcome when the serial number in an OCSP request di
Same weakness CWE-323 – Reusing a Nonce, Key Pair in Encryption
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39493
GHSA-q4q5-jx42-4xp9