Wolfssl
Monthly
Integer overflow in wolfSSL CMAC implementation (versions ≤5.9.0) enables zero-effort cryptographic forgery. The wc_CmacUpdate function uses a 32-bit counter (totalSz) that wraps to zero after processing 4 GiB of data, erroneously discarding live CBC-MAC chain state. Attackers can forge CMAC authentication tags by crafting messages with identical suffixes beyond the 4 GiB boundary, undermining message authentication integrity in unauthenticated network contexts. No public exploit identified at time of analysis.
Integer underflow in wolfSSL's ASN.1 certificate parser allows remote attackers to trigger information disclosure and potential memory access violations when processing malformed X.509 certificates with oversized Subject Alternative Name extensions. The vulnerability affects wolfSSL versions up to 5.9.0 but only impacts systems using the non-default original ASN.1 parsing implementation; no public exploit code or active exploitation has been identified at time of analysis.
Man-in-the-middle attackers can truncate AES-GCM authentication tags in wolfSSL's PKCS7 AuthEnvelopedData processing from 16 bytes to 1 byte, degrading cryptographic integrity verification from 2⁻¹²⁸ to 2⁻⁸ probability. Affects wolfSSL versions through 5.9.0 due to missing lower bounds validation in wc_PKCS7_DecodeAuthEnvelopedData(). Unauthenticated network-based attack enables high-severity integrity bypass without user interaction. No public exploit identified at time of analysis.
ChaCha20-Poly1305 AEAD decryption in wolfSSL's EVP layer bypasses authentication tag verification, allowing unauthenticated adjacent attackers to inject arbitrary ciphertext that is decrypted and returned as plaintext without cryptographic validation. Affects wolfSSL versions prior to 5.9.1. Applications using EVP API for ChaCha20-Poly1305 decryption receive potentially malicious plaintext, enabling man-in-the-middle attacks that compromise confidentiality and integrity of encrypted communications. No public exploit identified at time of analysis, low observed exploitation activity (EPSS <1%).
Heap use-after-free in wolfSSL's TLS 1.3 post-quantum cryptography hybrid KeyShare processing allows unauthenticated remote attackers to corrupt heap memory and potentially disclose information. The vulnerability occurs when TLSX_KeyShare_ProcessPqcHybridClient() error handling prematurely frees a KyberKey object in src/tls.c, and the caller's subsequent TLSX_KeyShare_FreeAll() invocation writes zero bytes to already-freed memory. CVSS 6.3 reflects low integrity and availability impact; exploitation requires precise network timing (AT:P). No public exploit identified at time of analysis, but the underlying use-after-free pattern is a known attack vector in memory-unsafe code.
wolfSSL versions before 5.9.1 contain a heap buffer overflow in the X.509 date parsing functions wolfSSL_X509_notAfter and wolfSSL_X509_notBefore when processing crafted certificates through the compatibility layer API. The vulnerability has a CVSS score of 2.3 with attack vector requiring adjacent network access and persistence, affecting only direct API calls and not standard TLS or certificate verification operations. No public exploit code or active exploitation has been identified at the time of analysis.
Buffer overflow in WolfSSL's TLSX_SNI_Write function allows remote unauthenticated attackers to corrupt memory by sending a specially crafted TLS ClientHello with ECH (Encrypted Client Hello) and SNI extension data. The vulnerability occurs when TLSX_EchChangeSNI unconditionally sets extensions even when no inner SNI is configured, causing attacker-controlled SNI data to be written 255 bytes beyond the allocated buffer boundary during ClientHello serialization. CVSS 6.9 indicates moderate integrity and availability impact with low attack complexity.
Stack buffer overflow in wolfSSL's PKCS7 implementation allows local attackers to cause a denial of service or potentially execute code by crafting a CMS EnvelopedData message with an oversized OID in an OtherRecipientInfo recipient structure. The vulnerability affects wolfSSL when compiled with --enable-pkcs7 (disabled by default) and only when an application explicitly registers an ORI decrypt callback, significantly limiting real-world exposure. No public exploit code or active exploitation has been identified at time of analysis.
Heap out-of-bounds read in wolfSSL versions prior to 5.9.1 allows unauthenticated attackers on an adjacent network to trigger information disclosure via a crafted PKCS7 message that bypasses bounds checking in the indefinite-length end-of-content verification loop. The vulnerability has a low CVSS score of 2.3 due to restricted attack vector (adjacent network only) and limited integrity impact, with no public exploit code identified at time of analysis.
Out-of-bounds read in wolfSSL's dual-algorithm CertificateVerify processing allows remote attackers to trigger information disclosure and data integrity violations through crafted input, but only when the library is compiled with both --enable-experimental and --enable-dual-alg-certs flags. The vulnerability affects wolfSSL versions before 5.9.1 and requires network access with low attack complexity, though the attack triggering mechanism involves a passive timing or state condition (AT:P). No public exploit code or active exploitation has been identified.
wolfSSL versions up to 5.9.0 allow arbitrary memory deallocation via unsafe deserialization of poisoned session cache data. An attacker with high privileges who can inject a crafted session into the cache and trigger specific session restore API calls can cause memory corruption with availability impact. No public exploit code or active exploitation has been confirmed; the vulnerability requires precise conditions including local access, high privileges, and user interaction.
Integer underflow in wolfSSL's packet sniffer (versions up to 5.9.0) allows remote attackers to crash applications during AEAD decryption by sending malformed TLS Application Data records with insufficient length for the explicit IV and authentication tag. The vulnerability wraps a 16-bit length value to an unexpectedly large integer, triggering an out-of-bounds read in decryption routines. While the CVSS score is low (2.1) due to limited practical impact (availability only), the attack requires no victim interaction beyond network exposure and affects any system passively inspecting encrypted TLS traffic through wolfSSL's ssl_DecodePacket function.
Stack buffer over-read in wolfSSL's MatchDomainName function allows authenticated remote attackers to cause denial of service through a crafted wildcard hostname during TLS certificate validation when the LEFT_MOST_WILDCARD_ONLY flag is enabled. The vulnerability reads one byte past the allocated buffer when a wildcard character exhausts the entire hostname string, triggering a potential crash with very low real-world exploitation probability (EPSS and CVSS indicate limited practical risk).
Heap buffer overflow in wolfSSL DTLS 1.3 ACK message handler allows unauthenticated remote attackers to achieve integrity and availability impacts via crafted network packets. The vulnerability triggers memory corruption during ACK message processing in DTLS 1.3 sessions, enabling potential arbitrary code execution or denial of service. No public exploit identified at time of analysis, though low observed exploitation activity noted.
wolfSSL's ARIA-GCM cipher suites in TLS 1.2 and DTLS 1.2 reuse an identical 12-byte nonce for every encrypted application-data record, enabling plaintext recovery through cryptanalytic attacks. This vulnerability affects only non-FIPS builds explicitly configured with --enable-aria and the proprietary MagicCrypto SDK (opt-in for Korean regulatory compliance). Authenticated remote attackers can exploit this to recover encrypted data, though AES-GCM implementations in the same product are unaffected due to independent invocation counters. No public exploit code or active exploitation has been identified at time of analysis.
Certificate chain verification bypass in wolfSSL allows malicious intermediate CAs to violate URI nameConstraints. A compromised sub-CA with high-privilege access can issue leaf certificates containing URI Subject Alternative Name entries that breach parent CA nameConstraints restrictions. wolfSSL versions fail to enforce URI-based nameConstraints during chain validation in wolfcrypt/src/asn.c, accepting invalid certificates as legitimate. No public exploit identified at time of analysis. Attack complexity rated low but requires privileged issuer access.
Heap buffer overflow in wolfSSL's CertFromX509 function allows remote attackers to cause information disclosure through malformed X.509 certificates containing oversized AuthorityKeyIdentifier extensions. The vulnerability requires a persistent attacker (AT:P per CVSS 4.0) but no authentication, affecting wolfSSL across all versions until patched. EPSS exploitation probability and active exploitation status cannot be determined from available data; no public exploit code has been independently confirmed.
Heap out-of-bounds write in wolfSSL's DecodeObjectId() function in wolfcrypt/src/asn.c allows authenticated remote attackers to trigger memory corruption through two distinct mechanisms: insufficient bounds checking when outSz equals 1, and confusion between buffer byte size and element count across multiple callers, permitting crafted OIDs with 33+ arcs to overflow a 32-arc buffer. CVSS 2.3 reflects low impact (data modification only, no confidentiality loss), but the vulnerability affects cryptographic certificate and message parsing across all wolfSSL versions up to 5.9.0. No public exploit identified at time of analysis.
1-byte OOB heap read in wc_PKCS7_DecodeEnvelopedData via zero-length encrypted content.
CVE-2026-3230 is a security vulnerability (CVSS 1.2). Remediation should follow standard vulnerability management procedures.
Stack buffer overflow in wolfSSL 5.8.4's ECH (Encrypted Client Hello) implementation allows remote attackers to crash TLS clients or achieve code execution by sending a maliciously crafted ECH configuration. The vulnerability affects clients that have explicitly enabled ECH support, which is disabled by default. An attacker controlling a TLS server can exploit this remotely without authentication or user interaction.
Integer underflow in TLS 1.3 ECH (Encrypted Client Hello) extension parsing within wolfSSL allows remote attackers to trigger heap buffer overflow conditions with availability impact through specially crafted network packets. While ECH is disabled by default in wolfSSL and the specification remains unstable, exploitation requires no authentication and succeeds under specific timing conditions. No patch is currently available for this vulnerability.
CVE-2026-3580 is a security vulnerability (CVSS 4.7). Remediation should follow standard vulnerability management procedures.
CVE-2026-3579 is a security vulnerability (CVSS 5.9). Remediation should follow standard vulnerability management procedures.
Buffer overflow vulnerabilities in wolfSSL's CRL parser enable heap and stack memory corruption when processing maliciously crafted Certificate Revocation Lists, allowing potential code execution on affected systems. This vulnerability only impacts installations with explicit CRL support enabled that load CRLs from untrusted sources. No patch is currently available.
Heap buffer overflow in wolfSSL's session deserialization function allows local attackers with low privileges to corrupt heap memory by crafting malicious session data with invalid certificate lengths. The vulnerability affects systems with SESSION_CERTS enabled that load external session data, requiring user interaction or specific configuration to exploit. No patch is currently available.
Integer underflow in wolfSSL packet sniffer <= 5.8.4 allows an attacker to cause a buffer overflow in the AEAD decryption path by injecting a TLS record shorter than the explicit IV plus authentication tag into traffic inspected by ssl_DecodePacket.
A stack buffer overflow vulnerability exists in wolfSSL's PKCS7 SignedData encoding functionality.
CVE-2026-2645 is a security vulnerability (CVSS 5.5). Remediation should follow standard vulnerability management procedures.
With TLS 1.2 connections a client can use any digest, specifically a weaker digest that is supported, rather than those in the CertificateRequest. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, low attack complexity.
Vulnerability in X25519 constant-time cryptographic implementations due to timing side channels introduced by compiler optimizations and CPU architecture limitations, specifically with the. Rated low severity (CVSS 1.0). No vendor patch available.
Improper input validation in the TLS 1.3 KeyShareEntry parsing in wolfSSL v5.8.2 on multiple platforms allows a remote unauthenticated attacker to cause a denial-of-service by sending a crafted. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Improper input validation in the TLS 1.3 CertificateVerify signature algorithm negotiation in wolfSSL 5.8.2 and earlier on multiple platforms allows for downgrading the signature algorithm used. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable, low attack complexity.
Improper Input Validation in the TLS 1.3 CKS extension parsing in wolfSSL 5.8.2 and earlier on multiple platforms allows a remote unauthenticated attacker to potentially cause a denial-of-service via. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, low attack complexity.
The server previously verified the TLS 1.3 PSK binder using a non-constant time method which could potentially leak information about the PSK binder. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, low attack complexity.
Integer Underflow Leads to Out-of-Bounds Access in XChaCha20-Poly1305 Decrypt. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
With TLS 1.3 pre-shared key (PSK) a malicious or faulty server could ignore the request for PFS (perfect forward secrecy) and the client would continue on with the connection using PSK without PFS. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Integer overflow in wolfSSL CMAC implementation (versions ≤5.9.0) enables zero-effort cryptographic forgery. The wc_CmacUpdate function uses a 32-bit counter (totalSz) that wraps to zero after processing 4 GiB of data, erroneously discarding live CBC-MAC chain state. Attackers can forge CMAC authentication tags by crafting messages with identical suffixes beyond the 4 GiB boundary, undermining message authentication integrity in unauthenticated network contexts. No public exploit identified at time of analysis.
Integer underflow in wolfSSL's ASN.1 certificate parser allows remote attackers to trigger information disclosure and potential memory access violations when processing malformed X.509 certificates with oversized Subject Alternative Name extensions. The vulnerability affects wolfSSL versions up to 5.9.0 but only impacts systems using the non-default original ASN.1 parsing implementation; no public exploit code or active exploitation has been identified at time of analysis.
Man-in-the-middle attackers can truncate AES-GCM authentication tags in wolfSSL's PKCS7 AuthEnvelopedData processing from 16 bytes to 1 byte, degrading cryptographic integrity verification from 2⁻¹²⁸ to 2⁻⁸ probability. Affects wolfSSL versions through 5.9.0 due to missing lower bounds validation in wc_PKCS7_DecodeAuthEnvelopedData(). Unauthenticated network-based attack enables high-severity integrity bypass without user interaction. No public exploit identified at time of analysis.
ChaCha20-Poly1305 AEAD decryption in wolfSSL's EVP layer bypasses authentication tag verification, allowing unauthenticated adjacent attackers to inject arbitrary ciphertext that is decrypted and returned as plaintext without cryptographic validation. Affects wolfSSL versions prior to 5.9.1. Applications using EVP API for ChaCha20-Poly1305 decryption receive potentially malicious plaintext, enabling man-in-the-middle attacks that compromise confidentiality and integrity of encrypted communications. No public exploit identified at time of analysis, low observed exploitation activity (EPSS <1%).
Heap use-after-free in wolfSSL's TLS 1.3 post-quantum cryptography hybrid KeyShare processing allows unauthenticated remote attackers to corrupt heap memory and potentially disclose information. The vulnerability occurs when TLSX_KeyShare_ProcessPqcHybridClient() error handling prematurely frees a KyberKey object in src/tls.c, and the caller's subsequent TLSX_KeyShare_FreeAll() invocation writes zero bytes to already-freed memory. CVSS 6.3 reflects low integrity and availability impact; exploitation requires precise network timing (AT:P). No public exploit identified at time of analysis, but the underlying use-after-free pattern is a known attack vector in memory-unsafe code.
wolfSSL versions before 5.9.1 contain a heap buffer overflow in the X.509 date parsing functions wolfSSL_X509_notAfter and wolfSSL_X509_notBefore when processing crafted certificates through the compatibility layer API. The vulnerability has a CVSS score of 2.3 with attack vector requiring adjacent network access and persistence, affecting only direct API calls and not standard TLS or certificate verification operations. No public exploit code or active exploitation has been identified at the time of analysis.
Buffer overflow in WolfSSL's TLSX_SNI_Write function allows remote unauthenticated attackers to corrupt memory by sending a specially crafted TLS ClientHello with ECH (Encrypted Client Hello) and SNI extension data. The vulnerability occurs when TLSX_EchChangeSNI unconditionally sets extensions even when no inner SNI is configured, causing attacker-controlled SNI data to be written 255 bytes beyond the allocated buffer boundary during ClientHello serialization. CVSS 6.9 indicates moderate integrity and availability impact with low attack complexity.
Stack buffer overflow in wolfSSL's PKCS7 implementation allows local attackers to cause a denial of service or potentially execute code by crafting a CMS EnvelopedData message with an oversized OID in an OtherRecipientInfo recipient structure. The vulnerability affects wolfSSL when compiled with --enable-pkcs7 (disabled by default) and only when an application explicitly registers an ORI decrypt callback, significantly limiting real-world exposure. No public exploit code or active exploitation has been identified at time of analysis.
Heap out-of-bounds read in wolfSSL versions prior to 5.9.1 allows unauthenticated attackers on an adjacent network to trigger information disclosure via a crafted PKCS7 message that bypasses bounds checking in the indefinite-length end-of-content verification loop. The vulnerability has a low CVSS score of 2.3 due to restricted attack vector (adjacent network only) and limited integrity impact, with no public exploit code identified at time of analysis.
Out-of-bounds read in wolfSSL's dual-algorithm CertificateVerify processing allows remote attackers to trigger information disclosure and data integrity violations through crafted input, but only when the library is compiled with both --enable-experimental and --enable-dual-alg-certs flags. The vulnerability affects wolfSSL versions before 5.9.1 and requires network access with low attack complexity, though the attack triggering mechanism involves a passive timing or state condition (AT:P). No public exploit code or active exploitation has been identified.
wolfSSL versions up to 5.9.0 allow arbitrary memory deallocation via unsafe deserialization of poisoned session cache data. An attacker with high privileges who can inject a crafted session into the cache and trigger specific session restore API calls can cause memory corruption with availability impact. No public exploit code or active exploitation has been confirmed; the vulnerability requires precise conditions including local access, high privileges, and user interaction.
Integer underflow in wolfSSL's packet sniffer (versions up to 5.9.0) allows remote attackers to crash applications during AEAD decryption by sending malformed TLS Application Data records with insufficient length for the explicit IV and authentication tag. The vulnerability wraps a 16-bit length value to an unexpectedly large integer, triggering an out-of-bounds read in decryption routines. While the CVSS score is low (2.1) due to limited practical impact (availability only), the attack requires no victim interaction beyond network exposure and affects any system passively inspecting encrypted TLS traffic through wolfSSL's ssl_DecodePacket function.
Stack buffer over-read in wolfSSL's MatchDomainName function allows authenticated remote attackers to cause denial of service through a crafted wildcard hostname during TLS certificate validation when the LEFT_MOST_WILDCARD_ONLY flag is enabled. The vulnerability reads one byte past the allocated buffer when a wildcard character exhausts the entire hostname string, triggering a potential crash with very low real-world exploitation probability (EPSS and CVSS indicate limited practical risk).
Heap buffer overflow in wolfSSL DTLS 1.3 ACK message handler allows unauthenticated remote attackers to achieve integrity and availability impacts via crafted network packets. The vulnerability triggers memory corruption during ACK message processing in DTLS 1.3 sessions, enabling potential arbitrary code execution or denial of service. No public exploit identified at time of analysis, though low observed exploitation activity noted.
wolfSSL's ARIA-GCM cipher suites in TLS 1.2 and DTLS 1.2 reuse an identical 12-byte nonce for every encrypted application-data record, enabling plaintext recovery through cryptanalytic attacks. This vulnerability affects only non-FIPS builds explicitly configured with --enable-aria and the proprietary MagicCrypto SDK (opt-in for Korean regulatory compliance). Authenticated remote attackers can exploit this to recover encrypted data, though AES-GCM implementations in the same product are unaffected due to independent invocation counters. No public exploit code or active exploitation has been identified at time of analysis.
Certificate chain verification bypass in wolfSSL allows malicious intermediate CAs to violate URI nameConstraints. A compromised sub-CA with high-privilege access can issue leaf certificates containing URI Subject Alternative Name entries that breach parent CA nameConstraints restrictions. wolfSSL versions fail to enforce URI-based nameConstraints during chain validation in wolfcrypt/src/asn.c, accepting invalid certificates as legitimate. No public exploit identified at time of analysis. Attack complexity rated low but requires privileged issuer access.
Heap buffer overflow in wolfSSL's CertFromX509 function allows remote attackers to cause information disclosure through malformed X.509 certificates containing oversized AuthorityKeyIdentifier extensions. The vulnerability requires a persistent attacker (AT:P per CVSS 4.0) but no authentication, affecting wolfSSL across all versions until patched. EPSS exploitation probability and active exploitation status cannot be determined from available data; no public exploit code has been independently confirmed.
Heap out-of-bounds write in wolfSSL's DecodeObjectId() function in wolfcrypt/src/asn.c allows authenticated remote attackers to trigger memory corruption through two distinct mechanisms: insufficient bounds checking when outSz equals 1, and confusion between buffer byte size and element count across multiple callers, permitting crafted OIDs with 33+ arcs to overflow a 32-arc buffer. CVSS 2.3 reflects low impact (data modification only, no confidentiality loss), but the vulnerability affects cryptographic certificate and message parsing across all wolfSSL versions up to 5.9.0. No public exploit identified at time of analysis.
1-byte OOB heap read in wc_PKCS7_DecodeEnvelopedData via zero-length encrypted content.
CVE-2026-3230 is a security vulnerability (CVSS 1.2). Remediation should follow standard vulnerability management procedures.
Stack buffer overflow in wolfSSL 5.8.4's ECH (Encrypted Client Hello) implementation allows remote attackers to crash TLS clients or achieve code execution by sending a maliciously crafted ECH configuration. The vulnerability affects clients that have explicitly enabled ECH support, which is disabled by default. An attacker controlling a TLS server can exploit this remotely without authentication or user interaction.
Integer underflow in TLS 1.3 ECH (Encrypted Client Hello) extension parsing within wolfSSL allows remote attackers to trigger heap buffer overflow conditions with availability impact through specially crafted network packets. While ECH is disabled by default in wolfSSL and the specification remains unstable, exploitation requires no authentication and succeeds under specific timing conditions. No patch is currently available for this vulnerability.
CVE-2026-3580 is a security vulnerability (CVSS 4.7). Remediation should follow standard vulnerability management procedures.
CVE-2026-3579 is a security vulnerability (CVSS 5.9). Remediation should follow standard vulnerability management procedures.
Buffer overflow vulnerabilities in wolfSSL's CRL parser enable heap and stack memory corruption when processing maliciously crafted Certificate Revocation Lists, allowing potential code execution on affected systems. This vulnerability only impacts installations with explicit CRL support enabled that load CRLs from untrusted sources. No patch is currently available.
Heap buffer overflow in wolfSSL's session deserialization function allows local attackers with low privileges to corrupt heap memory by crafting malicious session data with invalid certificate lengths. The vulnerability affects systems with SESSION_CERTS enabled that load external session data, requiring user interaction or specific configuration to exploit. No patch is currently available.
Integer underflow in wolfSSL packet sniffer <= 5.8.4 allows an attacker to cause a buffer overflow in the AEAD decryption path by injecting a TLS record shorter than the explicit IV plus authentication tag into traffic inspected by ssl_DecodePacket.
A stack buffer overflow vulnerability exists in wolfSSL's PKCS7 SignedData encoding functionality.
CVE-2026-2645 is a security vulnerability (CVSS 5.5). Remediation should follow standard vulnerability management procedures.
With TLS 1.2 connections a client can use any digest, specifically a weaker digest that is supported, rather than those in the CertificateRequest. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, low attack complexity.
Vulnerability in X25519 constant-time cryptographic implementations due to timing side channels introduced by compiler optimizations and CPU architecture limitations, specifically with the. Rated low severity (CVSS 1.0). No vendor patch available.
Improper input validation in the TLS 1.3 KeyShareEntry parsing in wolfSSL v5.8.2 on multiple platforms allows a remote unauthenticated attacker to cause a denial-of-service by sending a crafted. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Improper input validation in the TLS 1.3 CertificateVerify signature algorithm negotiation in wolfSSL 5.8.2 and earlier on multiple platforms allows for downgrading the signature algorithm used. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable, low attack complexity.
Improper Input Validation in the TLS 1.3 CKS extension parsing in wolfSSL 5.8.2 and earlier on multiple platforms allows a remote unauthenticated attacker to potentially cause a denial-of-service via. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, low attack complexity.
The server previously verified the TLS 1.3 PSK binder using a non-constant time method which could potentially leak information about the PSK binder. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, low attack complexity.
Integer Underflow Leads to Out-of-Bounds Access in XChaCha20-Poly1305 Decrypt. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
With TLS 1.3 pre-shared key (PSK) a malicious or faulty server could ignore the request for PFS (perfect forward secrecy) and the client would continue on with the connection using PSK without PFS. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.