CVE-2025-11934

CVE-2025-11934 concerns wolfSSL’s TLS 1.3 CertificateVerify signature algorithm negotiation. The vulnerability stems from improper input validation that can downgrade the negotiated signature algorithm (e.g., client supports ECDSA P521 but server accepts and uses ECDSA P256), potentially weakenin...

CVE-2025-11934

Improper input validation in the TLS 1.3 CertificateVerify signature algorithm negotiation in wolfSSL 5.8.2 and earlier on multiple platforms allows for downgrading the signature algorithm used. For example when a client sends ECDSA P521 as the supported signature algorithm the server previously...

CVE-2025-11934 Improper Validation of Signature Algorithm Used in TLS 1.3 CertificateVerify

Improper input validation in the TLS 1.3 CertificateVerify signature algorithm negotiation in wolfSSL 5.8.2 and earlier on multiple platforms allows for downgrading the signature algorithm used. For example when a client sends ECDSA P521 as the supported signature algorithm the server previously...

CVE-2025-11934

Improper input validation in the TLS 1.3 CertificateVerify signature algorithm negotiation in wolfSSL 5.8.2 and earlier on multiple platforms allows for downgrading the signature algorithm used. For example when a client sends ECDSA P521 as the supported signature algorithm the server previously...

CVE-2025-11935

WolfSSL TLS 1.3 PSK handling vulnerability: when a server answers a ClientHello with psk_dhe_ke and no key_share, the client may proceed with an authenticated PSK without PFS, degrading security. Connected sources indicate WolfSSL has addressed this in fixes across TLS 1.2/1.3 and PSK processing ...

CVE-2025-11935 Forward Secrecy Violation in WolfSSL TLS 1.3

With TLS 1.3 pre-shared key PSK a malicious or faulty server could ignore the request for PFS perfect forward secrecy and the client would continue on with the connection using PSK without PFS. This happened when a server responded to a ClientHello containing pskdheke without a keyshare...

CVE-2025-11935 Forward Secrecy Violation in WolfSSL TLS 1.3

With TLS 1.3 pre-shared key PSK a malicious or faulty server could ignore the request for PFS perfect forward secrecy and the client would continue on with the connection using PSK without PFS. This happened when a server responded to a ClientHello containing pskdheke without a keyshare...

wolfSSL 安全漏洞

wolfSSL CyaSSL is a small, portable embedded SSL programming library for use by embedded systems developers from wolfSSL, Inc. in the United States. A security vulnerability exists in wolfSSL version 5.8.2 and earlier, which stems from improper validation of the TLS 1.3 CKS extension parsing inpu...

PT-2025-47810

Name of the Vulnerable Software and Affected Versions wolfSSL versions 5.8.2 and earlier Description A flaw exists in the processing of TLS 1.3 CKS extensions within wolfSSL. This improper input validation can be triggered by a specially crafted ClientHello message containing duplicate CKS...

PT-2025-47811

Name of the Vulnerable Software and Affected Versions wolfSSL versions 5.8.2 and earlier Description A flaw exists in the TLS 1.3 CertificateVerify signature algorithm negotiation within wolfSSL. This issue allows for a downgrade in the signature algorithm used during the TLS handshake...

wolfSSL 安全漏洞

wolfSSL CyaSSL is a small, portable embedded SSL programming library for use by embedded systems developers from wolfSSL, Inc. in the United States. A security vulnerability exists in wolfSSL that stems from the use of a non-constant time method for TLS 1.3 PSK binder validation, which could lead...

wolfSSL 安全漏洞

wolfSSL CyaSSL is a small, portable embedded SSL programming library for use by embedded systems developers from wolfSSL, Inc. in the United States. A security vulnerability exists in wolfSSL CyaSSL versions 5.8.2 and earlier, which stems from improper validation of the TLS 1.3 CertificateVerify...

wolfSSL 安全漏洞

wolfSSL CyaSSL is a small, portable embedded SSL programming library for use by embedded systems developers from wolfSSL, Inc. in the United States. A security vulnerability exists in wolfSSL CyaSSL, which stems from the fact that TLS 1.3 pre-shared keys may ignore PFS requests, potentially...

wolfSSL 安全漏洞

wolfSSL CyaSSL is a small, portable embedded SSL programming library for use by embedded systems developers from wolfSSL, Inc. in the United States. A security vulnerability exists in wolfSSL that stems from compiler optimizations and time-side channels introduced by CPU architectural limitations...

PT-2025-47818

Name of the Vulnerable Software and Affected Versions wolfSSL version 5.8.2 Description A flaw exists in the TLS 1.3 KeyShareEntry parsing within wolfSSL. This issue allows a remote, unauthenticated attacker to trigger a denial-of-service condition. The attack involves sending a specially crafted...

wolfSSL 安全漏洞

wolfSSL CyaSSL is a small, portable embedded SSL programming library for use by embedded systems developers from wolfSSL, Inc. in the United States. A security vulnerability exists in wolfSSL CyaSSL version v5.8.2, which stems from improper validation of TLS 1.3 KeyShareEntry parsed inputs, which...

wolfSSL 安全漏洞

wolfSSL CyaSSL is a small, portable embedded SSL programming library for use by embedded systems developers from wolfSSL, Inc. in the United States. A security vulnerability exists in wolfSSL that stems from an integer underflow during the XChaCha20-Poly1305 decryption process, which could lead t...

Siemens SIMATIC S7-1500 Improper Certificate Validation (CVE-2024-2379)

libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems. This plugin only works wi...

CVE-2025-10966

curl's code for managing SSH connections when SFTP was done using the wolfSSH powered backend was flawed and missed host verification mechanisms. This prevents curl from detecting MITM attackers and more...

Linux Distros Unpatched Vulnerability : CVE-2025-7395

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A certificate verification error in wolfSSL when building with the WOLFSSLSYSCACERTS and WOLFSSLAPPLENATIVECERTVALIDATION options results in the wolfSSL client...