Skip to main content

wolfSSL EUVDEUVD-2026-39570

| CVE-2026-6330 MEDIUM
Use of a Broken or Risky Cryptographic Algorithm (CWE-327)
2026-06-25 wolfSSL GHSA-89v8-3927-wfcg
6.3
CVSS 4.0 · Vendor: wolfSSL
Share

Severity by source

Vendor (wolfSSL) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

AV:N because ciphertexts are submitted over the network; AC:H for ARM64 NEON plus ML-KEM prerequisites; C:H because adaptive attack enables shared-secret recovery; I:L for attacker-influenced key material weakening session integrity.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (wolfSSL).

CVSS VectorVendor: wolfSSL

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 25, 2026 - 21:56 vuln.today
Analysis Generated
Jun 25, 2026 - 21:56 vuln.today

DescriptionCVE.org

The ML-KEM ARM64 NEON ciphertext comparison only compares half of the input, breaking the Fujisaki-Okamoto transform's implicit rejection and weakening IND-CCA2 security on that code path. The constant-time comparison effectively ignored part of the re-encrypted ciphertext, so a decapsulating party could fail to detect a manipulated ciphertext and proceed without the standard's required implicit rejection.

AnalysisAI

wolfSSL's ML-KEM ARM64 NEON decapsulation path compares only half of the re-encrypted ciphertext during the Fujisaki-Okamoto implicit rejection step, breaking the IND-CCA2 security proof for post-quantum key exchange on that architecture. This affects any ARM64 deployment of wolfSSL with ML-KEM (FIPS 203) compiled in and in active use. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Establish network man-in-the-middle position
Delivery
Intercept ML-KEM encapsulation ciphertext in transit
Exploit
Modify bytes in unchecked second half of ciphertext
Execution
Forward tampered ciphertext to ARM64 wolfSSL decapsulator
Persist
Implicit rejection bypassed, server derives attacker-influenced shared secret
Impact
Repeat adaptive queries to recover session key material

Vulnerability AssessmentAI

Exploitation All of the following conditions must be simultaneously true for exploitation: (1) wolfSSL must be compiled for and executing on ARM64 hardware with NEON intrinsic support; (2) ML-KEM must be compiled in via WOLFSSL_HAVE_MLKEM and WOLFSSL_WC_MLKEM and actively used for key encapsulation/decapsulation; (3) for FIPS builds, the FIPS version must be 7.0.0 or later, as pre-7.0.0 FIPS builds are excluded from the affected code path per the PR test guard; (4) the attacker must be able to submit adaptively chosen ciphertexts to the decapsulating endpoint - requiring at minimum a man-in-the-middle network position or control over the ciphertext input channel. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.3 with AV:N/AC:H/AT:P reflects meaningful real-world friction that limits the at-risk population: the vulnerable code path requires ARM64 hardware with NEON support, ML-KEM explicitly compiled in (WOLFSSL_HAVE_MLKEM/WOLFSSL_WC_MLKEM), and an attacker with the ability to submit adaptive ciphertext queries to the decapsulating party. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a man-in-the-middle position on a post-quantum TLS 1.3 session between a client and an ARM64 wolfSSL server with ML-KEM enabled intercepts the ML-KEM ciphertext in transit and modifies bytes in the second half (the unchecked region), then forwards the tampered ciphertext to the server. The server's ARM64 NEON comparison passes despite the modification, implicit rejection does not fire, and the server derives and uses a shared secret from the attacker-influenced input. …
Remediation The upstream fix is available as GitHub PR #10192 (https://github.com/wolfSSL/wolfssl/pull/10192), which corrects the half-comparison defect and adds regression tests covering ciphertext tampering at byte offsets 0 and 32. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2017-13099 HIGH POC
7.5 Dec 13

wolfSSL prior to version 3.12.2 provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange i

CVE-2017-2800 CRITICAL POC
9.8 May 24

A specially crafted x509 certificate can cause a single out of bounds byte overwrite in wolfSSL through 3.10.2 resulting

CVE-2015-6925 HIGH POC
7.5 Jan 22

wolfSSL (formerly CyaSSL) before 3.6.8 allows remote attackers to cause a denial of service (resource consumption or tra

CVE-2022-39173 HIGH POC
7.5 Sep 29

In wolfSSL before 5.5.1, malicious clients can cause a buffer overflow during a TLS 1.3 handshake. Rated high severity (

CVE-2022-38152 HIGH POC
7.5 Aug 31

An issue was discovered in wolfSSL before 5.5.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploita

CVE-2020-11713 HIGH POC
7.5 Apr 12

wolfSSL 4.3.0 has mulmod code in wc_ecc_mulmod_ex in ecc.c that does not properly resist timing side-channel attacks. Ra

CVE-2019-18840 HIGH POC
7.5 Nov 09

In wolfSSL 4.1.0 through 4.2.0c, there are missing sanity checks of memory accesses in parsing ASN.1 certificate data wh

CVE-2020-15309 HIGH POC
7.0 Aug 21

An issue was discovered in wolfSSL before 4.5.0, when single precision is not employed. Rated high severity (CVSS 7.0).

CVE-2020-24613 MEDIUM POC
6.8 Aug 24

wolfSSL before 4.5.0 mishandles TLS 1.3 server data in the WAIT_CERT_CR state, within SanityCheckTls13MsgReceived() in t

CVE-2015-7744 MEDIUM POC
5.9 Jan 22

wolfSSL (formerly CyaSSL) before 3.6.8 does not properly handle faults associated with the Chinese Remainder Theorem (CR

CVE-2022-38153 MEDIUM POC
5.9 Aug 31

An issue was discovered in wolfSSL before 5.5.0 (when --enable-session-ticket is used); however, only version 5.3.0 is e

CVE-2021-37155 CRITICAL
9.8 Jul 21

wolfSSL 4.6.x through 4.7.x before 4.8.0 does not produce a failure outcome when the serial number in an OCSP request di

Share

EUVD-2026-39570 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy