CVE-2022-23408

CRITICAL

wolfSSL <5.1.1 - Info Disclosure

Title source: llm

Description

wolfSSL 5.x before 5.1.1 uses non-random IV values in certain situations. This affects connections (without AEAD) using AES-CBC or DES3 with TLS 1.1 or 1.2 or DTLS 1.1 or 1.2. This occurs because of misplaced memory initialization in BuildMessage in internal.c.

References (2)

[Release Notes, Third Party Advisory] https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md#wolfssl-release-511-jan-3rd-2022

View Writeup ZIP pw:eip

[Third Party Advisory] https://github.com/wolfSSL/wolfssl/pull/4710

Scores

CVSS v3 9.1

EPSS 0.0028

EPSS Percentile 51.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Details

CWE

CWE-330

Status published

Products (1)

wolfssl/wolfssl 5.0.0 - 5.1.1

Published Jan 18, 2022

Tracked Since Feb 18, 2026