Exploit Database

146,925 exploits tracked across all sources.

Sort: Activity Stars
CVE-2020-36177 WRITEUP CRITICAL
wolfSSL < 4.6.0 - Out-of-bounds Write in RsaPad_PSS
RsaPad_PSS in wolfcrypt/src/rsa.c in wolfSSL before 4.6.0 has an out-of-bounds write for certain relationships between key size and digest size.
CVSS 9.8
CVE-2020-24585 WRITEUP MEDIUM
wolfssl < 4.5.0 - DTLS Handshake Spoofing via Clear Application Data in Epoch 0
An issue was discovered in the DTLS handshake implementation in wolfSSL before 4.5.0. Clear DTLS application_data messages in epoch 0 do not produce an out-of-order error. Instead, these messages are returned to the application.
CVSS 5.3
CVE-2020-24585 WRITEUP MEDIUM
wolfssl < 4.5.0 - DTLS Handshake Spoofing via Clear Application Data in Epoch 0
An issue was discovered in the DTLS handshake implementation in wolfSSL before 4.5.0. Clear DTLS application_data messages in epoch 0 do not produce an out-of-order error. Instead, these messages are returned to the application.
CVSS 5.3
CVE-2020-15309 WRITEUP HIGH
wolfssl < 4.5.0 - Cache-Timing Attack via Public Key Operations
An issue was discovered in wolfSSL before 4.5.0, when single precision is not employed. Local attackers can conduct a cache-timing attack against public key operations. These attackers may already have obtained sensitive information if the affected system has been used for private key operations (e.g., signing with a private key).
CVSS 7.0
CVE-2020-12457 WRITEUP HIGH
wolfssl < 4.5.0 - Denial of Service via TLS 1.3 ChangeCipherSpec Message Processing
An issue was discovered in wolfSSL before 4.5.0. It mishandles the change_cipher_spec (CCS) message processing logic for TLS 1.3. If an attacker sends ChangeCipherSpec messages in a crafted way involving more than one in a row, the server becomes stuck in the ProcessReply() loop, i.e., a denial of service.
CVSS 7.5
CVE-2020-12457 WRITEUP HIGH
wolfssl < 4.5.0 - Denial of Service via TLS 1.3 ChangeCipherSpec Message Processing
An issue was discovered in wolfSSL before 4.5.0. It mishandles the change_cipher_spec (CCS) message processing logic for TLS 1.3. If an attacker sends ChangeCipherSpec messages in a crafted way involving more than one in a row, the server becomes stuck in the ProcessReply() loop, i.e., a denial of service.
CVSS 7.5
CVE-2020-11735 WRITEUP MEDIUM
wolfssl < 4.4.0 - Observable Discrepancy in ECC Private-Key Operations
The private-key operations in ecc.c in wolfSSL before 4.4.0 do not use a constant-time modular inverse when mapping to affine coordinates, aka a "projective coordinates leak."
CVSS 5.3
CVE-2020-11713 WRITEUP HIGH
wolfSSL 4.3.0 - Timing Side-Channel Attack in ECC Mulmod Operation
wolfSSL 4.3.0 has mulmod code in wc_ecc_mulmod_ex in ecc.c that does not properly resist timing side-channel attacks.
CVSS 7.5
CVE-2019-6439 WRITEUP CRITICAL
wolfssl < 3.15.7 - Heap-Based Buffer Overflow in TLS Benchmark Tool
examples/benchmark/tls_bench.c in a benchmark tool in wolfSSL through 3.15.7 has a heap-based buffer overflow.
CVSS 9.8
CVE-2019-19963 WRITEUP MEDIUM
wolfssl < 4.3.0 - Side-Channel Attack via DSA Nonce Modular Inversion
An issue was discovered in wolfSSL before 4.3.0 in a non-default configuration where DSA is enabled. DSA signing uses the BEEA algorithm during modular inversion of the nonce, leading to a side-channel attack against the nonce.
CVSS 5.3
CVE-2019-19962 WRITEUP HIGH
wolfssl < 4.3.0 - Fault Injection in RSA Cryptography via wc_SignatureGenerateHash
wolfSSL before 4.3.0 mishandles calls to wc_SignatureGenerateHash, leading to fault injection in RSA cryptography.
CVSS 7.5
CVE-2019-19960 WRITEUP MEDIUM
wolfssl < 4.3.0 - Side-Channel Attack via wc_ecc_mulmod_ex
In wolfSSL before 4.3.0, wc_ecc_mulmod_ex does not properly resist side-channel attacks.
CVSS 5.3
CVE-2019-18840 WRITEUP HIGH
wolfSSL 4.1.0-4.2.0c - Heap-Based Buffer Overflow in ASN.1 Certificate Parsing
In wolfSSL 4.1.0 through 4.2.0c, there are missing sanity checks of memory accesses in parsing ASN.1 certificate data while handshaking. Specifically, there is a one-byte heap-based buffer overflow inside the DecodedCert structure in GetName in wolfcrypt/src/asn.c because the domain name location index is mishandled. Because a pointer is overwritten, there is an invalid free.
CVSS 7.5
CVE-2019-16748 WRITEUP CRITICAL
wolfssl < 4.1.0 - Out-of-bounds Read in ASN.1 Certificate Parsing
In wolfSSL through 4.1.0, there is a missing sanity check of memory accesses in parsing ASN.1 certificate data while handshaking. Specifically, there is a one-byte heap-based buffer over-read in CheckCertSignature_ex in wolfcrypt/src/asn.c.
CVSS 9.8
CVE-2019-15651 WRITEUP CRITICAL
wolfSSL 4.1.0 - Heap-Based Buffer Over-Read in DecodeCertExtensions
wolfSSL 4.1.0 has a one-byte heap-based buffer over-read in DecodeCertExtensions in wolfcrypt/src/asn.c because reading the ASN_BOOLEAN byte is mishandled for a crafted DER certificate in GetLength_ex.
CVSS 9.8
CVE-2018-16870 WRITEUP MEDIUM
wolfssl < 3.15.7 - TLS Downgrade Attack via Bleichenbacher Attack Variant
It was found that wolfssl before 3.15.7 is vulnerable to a new variant of the Bleichenbacher attack to perform downgrade attacks against TLS. This may lead to leakage of sensible data.
CVSS 5.9
CVE-2017-8855 WRITEUP HIGH
wolfSSL < 3.11.0 - Denial of Service via Malformed DH Key
wolfSSL before 3.11.0 does not prevent wc_DhAgree from accepting a malformed DH key.
CVSS 7.5
CVE-2017-8854 WRITEUP HIGH
wolfSSL < 3.10.2 - Buffer Overflow via Malformed DH Parameter File
wolfSSL before 3.10.2 has an out-of-bounds memory access with loading crafted DH parameters, aka a buffer overflow triggered by a malformed temporary DH file.
CVSS 7.8
CVE-2017-6076 WRITEUP MEDIUM
wolfssl < 3.10.2 - Exposure of Sensitive Information via RSA Key Cache Side Channel
In versions of wolfSSL before 3.10.2 the function fp_mul_comba makes it easier to extract RSA key information for a malicious user who has access to view cache on a machine.
CVSS 5.5
CVE-2017-13099 WRITEUP HIGH
wolfSSL < 3.12.2 - Private Key Recovery via Bleichenbacher Oracle in RSA Key Exchange
wolfSSL prior to version 3.12.2 provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable wolfSSL application. This vulnerability is referred to as "ROBOT."
CVSS 7.5
CVE-2026-4395 WRITEUP CRITICAL
Heap-based buffer overflow in wc_ecc_import_x963_ex KCAPI path
Heap-based buffer overflow in the KCAPI ECC code path of wc_ecc_import_x963_ex() in wolfSSL wolfcrypt allows a remote attacker to write attacker-controlled data past the bounds of the pubkey_raw buffer via a crafted oversized EC public key point. The WOLFSSL_KCAPI_ECC code path copies the input to key->pubkey_raw (132 bytes) using XMEMCPY without a bounds check, unlike the ATECC code path which includes a length validation. This can be triggered during TLS key exchange when a malicious peer sends a crafted ECPoint in ServerKeyExchange.
CVSS 9.8
CVE-2026-4159 WRITEUP LOW
wc_PKCS7_DecodeEnvelopedData 1 byte out-of-bounds read
1-byte OOB heap read in wc_PKCS7_DecodeEnvelopedData via zero-length encrypted content. A vulnerability existed in wolfSSL 5.8.4 and earlier, where a 1-byte out-of-bounds heap read in wc_PKCS7_DecodeEnvelopedData could be triggered by a crafted CMS EnvelopedData message with zero-length encrypted content. Note that PKCS7 support is disabled by default.
CVSS 3.3
CVE-2026-3849 WRITEUP CRITICAL
Buffer Overflow in HPKE via Oversized ECH Config
Stack Buffer Overflow in wc_HpkeLabeledExtract via Oversized ECH Config. A vulnerability existed in wolfSSL 5.8.4 ECH (Encrypted Client Hello) support, where a maliciously crafted ECH config could cause a stack buffer overflow on the client side, leading to potential remote execution and client program crash. This could be exploited by a malicious TLS server supporting ECH. Note that ECH is off by default, and is only enabled with enable-ech.
CVSS 9.8
CVE-2026-3580 WRITEUP MEDIUM
Compiler-induced timing leak in sp_256_get_entry_256_9 on RISC-V
In wolfSSL 5.8.4, constant-time masking logic in sp_256_get_entry_256_9 is optimized into conditional branches (bnez) by GCC when targeting RISC-V RV32I with -O3. This transformation breaks the side-channel resistance of ECC scalar multiplication, potentially allowing a local attacker to recover secret keys via timing analysis.
CVSS 4.7
CVE-2026-3579 WRITEUP MEDIUM
Non-constant time multiplication subroutine __muldi3 on RISC-V RV32I
wolfSSL 5.8.4 on RISC-V RV32I architectures lacks a constant-time software implementation for 64-bit multiplication. The compiler-inserted __muldi3 subroutine executes in variable time based on operand values. This affects multiple SP math functions (sp_256_mul_9, sp_256_sqr_9, etc.), leading to a timing side-channel that may expose sensitive cryptographic data.
CVSS 5.9