pkg:Debian/wolfssl
108 total CVEsCRITICAL21HIGH35MEDIUM46LOW4
✅ Check your installed version
All known vulnerabilities
- from 0
- CRITICAL9.8CVE-2026-5187Two potential heap out-of-bounds write locations existed in DecodeObjectId() in wolfcrypt/src/asn.c.from 0
- CRITICAL9.8CVE-2026-4395Heap-based buffer overflow in the KCAPI ECC code path of wc_ecc_import_x963_ex() in wolfSSL wolfcrypt allows a remote attacker to write att…from 0
- from 0
- from 0
- CRITICAL9.8CVE-2026-3548Two buffer overflow vulnerabilities existed in the wolfSSL CRL parser when parsing CRL numbers: a heap-based buffer overflow could occur wh…from 0
- CRITICAL9.8CVE-2025-7394In the OpenSSL compatibility layer implementation, the function RAND_poll() was not behaving as expected and leading to the potential for p…from 0
- CRITICAL9.8CVE-2021-37155wolfSSL 4.6.x through 4.7.x before 4.8.0 does not produce a failure outcome when the serial number in an OCSP request differs from the seri…from 0, < 4.6.0+p1-0+deb11u1
- CRITICAL9.8CVE-2020-36177RsaPad_PSS in wolfcrypt/src/rsa.c in wolfSSL before 4.6.0 has an out-of-bounds write for certain relationships between key size and digest…from 0, < 4.6.0-1
- CRITICAL9.8CVE-2019-16748In wolfSSL through 4.1.0, there is a missing sanity check of memory accesses in parsing ASN.1 certificate data while handshaking.from 0, < 4.2.0+dfsg-1
- CRITICAL9.8CVE-2019-15651wolfSSL 4.1.0 has a one-byte heap-based buffer over-read in DecodeCertExtensions in wolfcrypt/src/asn.c because reading the ASN_BOOLEAN byt…from 0, < 4.1.0+dfsg-2
- CRITICAL9.8CVE-2019-11873wolfSSL 4.0.0 has a Buffer Overflow in DoPreSharedKeys in tls13.c when a current identity size is greater than a client identity size.from 0, < 4.1.0+dfsg-1
- CRITICAL9.8CVE-2019-6439examples/benchmark/tls_bench.c in a benchmark tool in wolfSSL through 3.15.7 has a heap-based buffer overflow.from 0, < 4.1.0+dfsg-1
- CRITICAL9.8CVE-2017-2800A specially crafted x509 certificate can cause a single out of bounds byte overwrite in wolfSSL through 3.10.2 resulting in potential certi…from 0, < 3.12.0+dfsg-1
- from 0
- CRITICAL9.1CVE-2026-5503In TLSX_EchChangeSNI, the ctx->extensions branch set extensions unconditionally even when TLSX_Find returned NULL.from 0
- CRITICAL9.1CVE-2026-5194Missing hash/digest size and OID checks allow digests smaller than allowed when verifying ECDSA certificates, or smaller than is appropriat…from 0
- CRITICAL9.1CVE-2024-0901Remotely executed SEGV and out of bounds read allows malicious packet sender to crash or cause an out of bounds read via sending a malforme…from 0
- CRITICAL9.1CVE-2023-6936In wolfSSL prior to 5.6.6, if callback functions are enabled (via the WOLFSSL_CALLBACKS flag), then a malicious TLS client or network attac…from 0
- CRITICAL9.1CVE-2022-42905In wolfSSL before 5.5.2, if callback functions are enabled (via the WOLFSSL_CALLBACKS flag), then a malicious TLS 1.3 client or network att…from 0, < 4.6.0+p1-0+deb11u2
- from 0, < 5.1.1-1
- HIGH8.8CVE-2024-2881Fault Injection vulnerability in wc_ed25519_sign_msg function in wolfssl/wolfcrypt/src/ed25519.c in WolfSSL wolfssl5.6.6 on Linux/Windows a…from 0
- HIGH8.8CVE-2024-1545Fault Injection vulnerability in RsaPrivateDecryption function in wolfssl/wolfcrypt/src/rsa.c in WolfSSL wolfssl5.6.6 on Linux/Windows allo…from 0
- HIGH8.8CVE-2023-3724If a TLS 1.3 client gets neither a PSK (pre shared key) extension nor a KSE (key share extension) when connecting to a malicious server, a…from 0, < 4.6.0+p1-0+deb11u2
- from 0
- HIGH8.1CVE-2026-5501wolfSSL_X509_verify_cert in the OpenSSL compatibility layer accepts a certificate chain in which the leaf's signature is not checked, if th…from 0
- HIGH8.1CVE-2026-5479In wolfSSL's EVP layer, the ChaCha20-Poly1305 AEAD decryption path in wolfSSL_EVP_CipherFinal (and related EVP cipher finalization function…from 0
- HIGH8.1CVE-2026-5466wolfSSL's ECCSI signature verifier `wc_VerifyEccsiHash` decodes the `r` and `s` scalars from the signature blob via `mp_read_unsigned_bin`…from 0
- HIGH8.1CVE-2026-5188An integer underflow issue exists in wolfSSL when parsing the Subject Alternative Name (SAN) extension of X.509 certificates.from 0
- HIGH8.1CVE-2026-2646A heap-buffer-overflow vulnerability exists in wolfSSL's wolfSSL_d2i_SSL_SESSION() function.from 0
- HIGH8.1CVE-2021-3336DoTls13CertificateVerify in tls13.c in wolfSSL before 4.7.0 does not cease processing for certain anomalous peer behavior (sending an ED225…from 0, < 4.6.0-3
- HIGH8.0CVE-2026-5295A stack buffer overflow exists in wolfSSL's PKCS7 implementation in the wc_PKCS7_DecryptOri() function in wolfcrypt/src/pkcs7.c.from 0
- HIGH7.8CVE-2017-8854wolfSSL before 3.10.2 has an out-of-bounds memory access with loading crafted DH parameters, aka a buffer overflow triggered by a malformed…from 0, < 3.10.2+dfsg-1
- HIGH7.5CVE-2026-5477An integer overflow existed in the wolfCrypt CMAC implementation, that could be exploited to forge CMAC tags.from 0
- from 0
- from 0
- HIGH7.5CVE-2026-2645In wolfSSL 5.8.2 and earlier, a logic flaw existed in the TLS 1.2 server state machine implementation.from 0
- HIGH7.5CVE-2025-12888Vulnerability in X25519 constant-time cryptographic implementations due to timing side channels introduced by compiler optimizations and CP…from 0
- HIGH7.5CVE-2025-11935With TLS 1.3 pre-shared key (PSK) a malicious or faulty server could ignore the request for PFS (perfect forward secrecy) and the client wo…from 0
- HIGH7.5CVE-2024-5991In function MatchDomainName(), input param str is treated as a NULL terminated string despite being user provided and unchecked.from 0
- HIGH7.5CVE-2022-39173In wolfSSL before 5.5.1, malicious clients can cause a buffer overflow during a TLS 1.3 handshake.from 0, < 4.6.0+p1-0+deb11u2
- from 0
- HIGH7.5CVE-2022-34293wolfSSL before 5.4.0 allows remote attackers to cause a denial of service via DTLS because a check for return-routability can be skipped.from 0
- HIGH7.5CVE-2022-25640In wolfSSL before 5.2.0, a TLS 1.3 server cannot properly enforce a requirement for mutual authentication.from 0, < 4.6.0+p1-0+deb11u1
- from 0, < 4.5.0+dfsg-1
- HIGH7.5CVE-2020-11713wolfSSL 4.3.0 has mulmod code in wc_ecc_mulmod_ex in ecc.c that does not properly resist timing side-channel attacks.from 0, < 4.4.0+dfsg-1
- HIGH7.5CVE-2019-19962wolfSSL before 4.3.0 mishandles calls to wc_SignatureGenerateHash, leading to fault injection in RSA cryptography.from 0, < 4.3.0+dfsg-1
- HIGH7.5CVE-2014-2904wolfssl before 3.2.0 has a server certificate that is not properly authorized for server authentication.from 0, < 3.4.8+dfsg-1
- HIGH7.5CVE-2014-2902wolfssl before 3.2.0 does not properly authorize CA certificate for signing other certificates.from 0, < 3.4.8+dfsg-1
- HIGH7.5CVE-2014-2901wolfssl before 3.2.0 does not properly issue certificates for a server's hostname.from 0, < 3.4.8+dfsg-1
- HIGH7.5CVE-2019-18840In wolfSSL 4.1.0 through 4.2.0c, there are missing sanity checks of memory accesses in parsing ASN.1 certificate data while handshaking.from 0, < 4.2.0+dfsg-3
- HIGH7.5CVE-2017-8855wolfSSL before 3.11.0 does not prevent wc_DhAgree from accepting a malformed DH key.from 0, < 3.12.0+dfsg-1
- HIGH7.5CVE-2015-6925wolfSSL (formerly CyaSSL) before 3.6.8 allows remote attackers to cause a denial of service (resource consumption or traffic amplification)…from 0, < 3.9.10+dfsg-1
- HIGH7.1CVE-2026-5446In wolfSSL, ARIA-GCM cipher suites used in TLS 1.2 and DTLS 1.2 reuse an identical 12-byte GCM nonce for every application-data record.from 0
- HIGH7.1CVE-2026-0819A stack buffer overflow vulnerability exists in wolfSSL's PKCS7 SignedData encoding functionality.from 0
- HIGH7.0CVE-2020-15309An issue was discovered in wolfSSL before 4.5.0, when single precision is not employed.from 0, < 4.5.0+dfsg-1
- MEDIUM6.8CVE-2020-24613wolfSSL before 4.5.0 mishandles TLS 1.3 server data in the WAIT_CERT_CR state, within SanityCheckTls13MsgReceived() in tls13.c.from 0, < 4.5.0+dfsg-1
- MEDIUM6.5CVE-2026-5460A heap use-after-free exists in wolfSSL's TLS 1.3 post-quantum cryptography (PQC) hybrid KeyShare processing.from 0
- MEDIUM6.5CVE-2026-5778Integer underflow in wolfSSL packet sniffer <= 5.9.0 allows an attacker to cause a program crash in the AEAD decryption path by injecting a…from 0
- MEDIUM6.5CVE-2026-5263URI nameConstraints from constrained intermediate CAs are parsed but not enforced during certificate chain verification in wolfcrypt/src/as…from 0
- MEDIUM6.5CVE-2025-11933Improper Input Validation in the TLS 1.3 CKS extension parsing in wolfSSL 5.8.2 and earlier on multiple platforms allows a remote unauthent…from 0
- MEDIUM6.5CVE-2022-25638In wolfSSL before 5.2.0, certificate validation may be bypassed during attempted authentication by a TLS 1.3 client to a TLS 1.3 server.from 0, < 4.6.0+p1-0+deb11u1
- MEDIUM5.9CVE-2026-5500wolfSSL's wc_PKCS7_DecodeAuthEnvelopedData() does not properly sanitize the AES-GCM authentication tag length received and has no lower bou…from 0
- MEDIUM5.9CVE-2026-3579wolfSSL 5.8.4 on RISC-V RV32I architectures lacks a constant-time software implementation for 64-bit multiplication.from 0
- from 0
- MEDIUM5.9CVE-2023-6935wolfSSL SP Math All RSA implementation is vulnerable to the Marvin Attack, new variation of a timing Bleichenbacher style attack, when buil…from 0
- MEDIUM5.9CVE-2021-44718wolfSSL through 5.0.0 allows an attacker to cause a denial of service and infinite loop in the client component by sending crafted traffic…from 0, < 4.6.0+p1-0+deb11u1
- MEDIUM5.9CVE-2022-38153An issue was discovered in wolfSSL before 5.5.0 (when --enable-session-ticket is used); however, only version 5.3.0 is exploitable.from 0, < 5.5.3-1
- MEDIUM5.9CVE-2021-38597wolfSSL before 4.8.1 incorrectly skips OCSP verification in certain situations of irrelevant response data that contains the NoCheck extens…from 0, < 4.6.0+p1-0+deb11u1
- MEDIUM5.9CVE-2018-16870It was found that wolfssl before 3.15.7 is vulnerable to a new variant of the Bleichenbacher attack to perform downgrade attacks against TL…from 0, < 4.1.0+dfsg-1
- MEDIUM5.9CVE-2017-13099wolfSSL prior to version 3.12.2 provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated.from 0, < 3.13.0+dfsg-1
- MEDIUM5.9CVE-2014-2903CyaSSL does not check the key usage extension in leaf certificates, which allows remote attackers to spoof servers via a crafted server cer…from 0, < 3.4.8+dfsg-1
- MEDIUM5.9CVE-2015-7744wolfSSL (formerly CyaSSL) before 3.6.8 does not properly handle faults associated with the Chinese Remainder Theorem (CRT) process when all…from 0, < 3.9.10+dfsg-1
- MEDIUM5.5CVE-2026-3229An integer overflow vulnerability existed in the static function wolfssl_add_to_chain, that caused heap corruption when certificate data wa…from 0
- MEDIUM5.5CVE-2024-1543The side-channel protected T-Table implementation in wolfSSL up to version 5.6.5 protects against a side-channel attacker with cache-line r…from 0
- MEDIUM5.5CVE-2017-6076In versions of wolfSSL before 3.10.2 the function fp_mul_comba makes it easier to extract RSA key information for a malicious user who has…from 0, < 3.10.2+dfsg-1
- MEDIUM5.5CVE-2016-7440The C software implementation of AES Encryption and Decryption in wolfSSL (formerly CyaSSL) before 3.9.10 makes it easier for local users t…from 0, < 3.9.10+dfsg-1
- MEDIUM5.5CVE-2016-7439The C software implementation of RSA in wolfSSL (formerly CyaSSL) before 3.9.10 makes it easier for local users to discover RSA keys by lev…from 0, < 3.9.10+dfsg-1
- MEDIUM5.5CVE-2016-7438The C software implementation of ECC in wolfSSL (formerly CyaSSL) before 3.9.10 makes it easier for local users to discover RSA keys by lev…from 0, < 3.9.10+dfsg-1
- from 0
- MEDIUM5.4CVE-2025-12889With TLS 1.2 connections a client can use any digest, specifically a weaker digest that is supported, rather than those in the CertificateR…from 0
- MEDIUM5.3CVE-2026-5504A padding oracle exists in wolfSSL's PKCS7 CBC decryption that could allow an attacker to recover plaintext through repeated decryption que…from 0
- MEDIUM5.3CVE-2026-5772A 1-byte stack buffer over-read was identified in the MatchDomainName function (src/internal.c) during wildcard hostname validation when th…from 0
- MEDIUM5.3CVE-2026-1005Integer underflow in wolfSSL packet sniffer <= 5.8.4 allows an attacker to cause a buffer overflow in the AEAD decryption path by injecting…from 0
- MEDIUM5.3CVE-2025-11936Improper input validation in the TLS 1.3 KeyShareEntry parsing in wolfSSL v5.8.2 on multiple platforms allows a remote unauthenticated atta…from 0
- MEDIUM5.3CVE-2024-5814A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and achieve a s…from 0
- MEDIUM5.3CVE-2023-6937wolfSSL prior to 5.6.6 did not check that messages in one (D)TLS record do not span key boundaries.from 0
- from 0, < 4.6.0+p1-0+deb11u2
- MEDIUM5.3CVE-2020-24585An issue was discovered in the DTLS handshake implementation in wolfSSL before 4.5.0.from 0, < 4.5.0+dfsg-1
- MEDIUM5.3CVE-2020-11735The private-key operations in ecc.c in wolfSSL before 4.4.0 do not use a constant-time modular inverse when mapping to affine coordinates,…from 0, < 4.4.0+dfsg-1
- MEDIUM5.3CVE-2019-19963An issue was discovered in wolfSSL before 4.3.0 in a non-default configuration where DSA is enabled.from 0, < 4.3.0+dfsg-1
- MEDIUM5.3CVE-2019-19960In wolfSSL before 4.3.0, wc_ecc_mulmod_ex does not properly resist side-channel attacks.from 0, < 4.3.0+dfsg-1
- MEDIUM5.3CVE-2019-14317wolfSSL and wolfCrypt 4.1.0 and earlier (formerly known as CyaSSL) generate biased DSA nonces.from 0, < 4.2.0+dfsg-1
- MEDIUM5.2CVE-2026-3503Protection mechanism failure in wolfCrypt post-quantum implementations (ML-KEM and ML-DSA) in wolfSSL on ARM Cortex-M microcontrollers allo…from 0
- MEDIUM4.9CVE-2024-1544Generating the ECDSA nonce k samples a random number r and then truncates this randomness with a modular reduction mod n where n is the ord…from 0
- MEDIUM4.9CVE-2021-24116In wolfSSL through 4.6.0, a side-channel vulnerability in base64 PEM file decoding allows system-level (administrator) attackers to obtain…from 0, < 4.6.0-1
- MEDIUM4.7CVE-2026-3580In wolfSSL 5.8.4, constant-time masking logic in sp_256_get_entry_256_9 is optimized into conditional branches (bnez) by GCC when targeting…from 0
- from 0, < 4.1.0+dfsg-1
- MEDIUM4.7CVE-2018-12436wolfcrypt/src/ecc.c in wolfSSL before 3.15.1.patch allows a memory-cache side-channel attack on ECDSA signatures, aka the Return Of the Hid…from 0, < 3.15.3+dfsg-1
- from 0
- MEDIUM4.3CVE-2025-11932The server previously verified the TLS 1.3 PSK binder using a non-constant time method which could potentially leak information about the P…from 0
- MEDIUM4.0CVE-2026-5507When restoring a session from cache, a pointer from the serialized session data is used in a free operation without validation.from 0
- from 0, < 3.4.8+dfsg-1
- LOW3.3CVE-2026-41591-byte OOB heap read in wc_PKCS7_DecodeEnvelopedData via zero-length encrypted content.from 0
- LOW2.7CVE-2026-3230Missing required cryptographic step in the TLS 1.3 client HelloRetryRequest handshake logic in wolfSSL could lead to a compromise in the co…from 0
- LOW2.7CVE-2025-11934Improper input validation in the TLS 1.3 CertificateVerify signature algorithm negotiation in wolfSSL 5.8.2 and earlier on multiple platfor…from 0
- from 0
- —CVE-2025-13912Multiple constant-time implementations in wolfSSL before version 5.8.4 may be transformed into non-constant-time binary by LLVM optimizatio…from 0