CVE-2025-11934

LOW EPSS 4.6%

Published Nov 21, 20257mo ago · Modified Jun 17, 20261w ago

2.1 CVSS 4.0

Low

Published Nov 21, 2025 7mo ago

Last Modified Jun 17, 2026 1w ago

Description

Improper input validation in the TLS 1.3 CertificateVerify signature algorithm negotiation in wolfSSL 5.8.2 and earlier on multiple platforms allows for downgrading the signature algorithm used. For example when a client sends ECDSA P521 as the supported signature algorithm the server previously could respond as ECDSA P256 being the accepted signature algorithm and the connection would continue with using ECDSA P256, if the client supports ECDSA P256.

CVSS Details

Base Score

2.1

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Network

Attack Complexity Low

Privileges Required High

User Interaction None

Scope X

Threat Intelligence

EPSS Exploit Probability

4.6% percentile

Exploit & Patch Status

No Known Exploit

Patch Available

Weaknesses 1

CWE-20 Improper Input Validation Validation

Affected Products 3

Vendor	Product	Version	Range
wolfssl	wolfssl	*	≥5.8.2 – <5.8.4
apple	macos	*	any
linux	linux_kernel	*	any

References 2

github.com https://github.com/wolfSSL/wolfssl

Product
github.com https://github.com/wolfSSL/wolfssl/pull/9113

Issue TrackingPatch

Remediation

github.com https://github.com/wolfSSL/wolfssl/pull/9113

Issue TrackingPatch