CVE-2026-3230
LOW EPSS 11.1%
Published Mar 19, 20263mo ago · Modified Mar 26, 20263mo ago
1.2 CVSS 4.0
Published Mar 19, 2026 3mo ago
Last Modified Mar 26, 2026 3mo ago
Description
Missing required cryptographic step in the TLS 1.3 client HelloRetryRequest handshake logic in wolfSSL could lead to a compromise in the confidentiality of TLS-protected communications via a crafted HelloRetryRequest followed by a ServerHello message that omits the required key_share extension, resulting in derivation of predictable traffic secrets from (EC)DHE shared secret. This issue does not affect the client's authentication of the server during TLS handshakes.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:D/RE:X/U:Clear Attack Vector Network
Attack Complexity High
Privileges Required High
User Interaction None
Scope X
Threat Intelligence
EPSS Exploit Probability
11.1% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-20 Improper Input Validation Validation
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| wolfssl | wolfssl | * | <5.9.0 |
References 1
- github.com https://github.com/wolfSSL/wolfssl/pull/9754
Remediation
- github.com https://github.com/wolfSSL/wolfssl/pull/9754