CVSS: 1.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-13912 – Potential non-constant time compiled code with Clang LLVM
https://notcve.org/view.php?id=CVE-2025-13912
11 Dec 2025 — Multiple constant-time implementations in wolfSSL before version 5.8.4 may be transformed into non-constant-time binary by LLVM optimizations, which can potentially result in observable timing discrepancies and lead to information disclosure through timing side-channel attacks. • https://github.com/wolfSSL/wolfssl/pull/9148 • CWE-203: Observable Discrepancy •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-12889 – TLS 1.2 Client Can Downgrade Digest Used
https://notcve.org/view.php?id=CVE-2025-12889
21 Nov 2025 — With TLS 1.2 connections a client can use any digest, specifically a weaker digest that is supported, rather than those in the CertificateRequest. • https://github.com/wolfSSL/wolfssl/pull/9395 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-11932 – Timing Side-Channel in PSK Binder Verification
https://notcve.org/view.php?id=CVE-2025-11932
21 Nov 2025 — The server previously verified the TLS 1.3 PSK binder using a non-constant time method which could potentially leak information about the PSK binder • https://github.com/wolfSSL/wolfssl/pull/9223 • CWE-203: Observable Discrepancy •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-11931 – Integer Underflow Leads to Out-of-Bounds Access in XChaCha20-Poly1305 Decrypt
https://notcve.org/view.php?id=CVE-2025-11931
21 Nov 2025 — Integer Underflow Leads to Out-of-Bounds Access in XChaCha20-Poly1305 Decrypt. This issue is hit specifically with a call to the function wc_XChaCha20Poly1305_Decrypt() which is not used with TLS connections, only from direct calls from an application. • https://github.com/wolfSSL/wolfssl/pull/9223 • CWE-191: Integer Underflow (Wrap or Wraparound) •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-12888 – Constant Time Issue with Xtensa-based ESP32 and X22519
https://notcve.org/view.php?id=CVE-2025-12888
21 Nov 2025 — Vulnerability in X25519 constant-time cryptographic implementations due to timing side channels introduced by compiler optimizations and CPU architecture limitations, specifically with the Xtensa-based ESP32 chips. If targeting Xtensa it is recommended to use the low memory implementations of X25519, which is now turned on as the default for Xtensa. • https://https://github.com/wolfSSL/wolfssl/pull/9275 • CWE-203: Observable Discrepancy •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-11936 – Potential DoS Vulnerability through Multiple KeyShareEntry with Same Group in TLS 1.3 ClientHello
https://notcve.org/view.php?id=CVE-2025-11936
21 Nov 2025 — Improper input validation in the TLS 1.3 KeyShareEntry parsing in wolfSSL v5.8.2 on multiple platforms allows a remote unauthenticated attacker to cause a denial-of-service by sending a crafted ClientHello message containing duplicate KeyShareEntry values for the same supported group, leading to excessive CPU and memory consumption during ClientHello processing. • https://github.com/wolfSSL/wolfssl • CWE-20: Improper Input Validation •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-11933 – DoS Vulnerability in wolfSSL TLS 1.3 CKS Extension
https://notcve.org/view.php?id=CVE-2025-11933
21 Nov 2025 — Improper Input Validation in the TLS 1.3 CKS extension parsing in wolfSSL 5.8.2 and earlier on multiple platforms allows a remote unauthenticated attacker to potentially cause a denial-of-service via a crafted ClientHello message with duplicate CKS extensions. • https://github.com/wolfSSL/wolfssl • CWE-20: Improper Input Validation •
CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-11934 – Improper Validation of Signature Algorithm Used in TLS 1.3 CertificateVerify
https://notcve.org/view.php?id=CVE-2025-11934
21 Nov 2025 — Improper input validation in the TLS 1.3 CertificateVerify signature algorithm negotiation in wolfSSL 5.8.2 and earlier on multiple platforms allows for downgrading the signature algorithm used. For example when a client sends ECDSA P521 as the supported signature algorithm the server previously could respond as ECDSA P256 being the accepted signature algorithm and the connection would continue with using ECDSA P256, if the client supports ECDSA P256. • https://github.com/wolfSSL/wolfssl • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-11935 – Forward Secrecy Violation in WolfSSL TLS 1.3
https://notcve.org/view.php?id=CVE-2025-11935
21 Nov 2025 — With TLS 1.3 pre-shared key (PSK) a malicious or faulty server could ignore the request for PFS (perfect forward secrecy) and the client would continue on with the connection using PSK without PFS. This happened when a server responded to a ClientHello containing psk_dhe_ke without a key_share extension. The re-use of an authenticated PSK connection that on the clients side unexpectedly did not have PFS, reduces the security of the connection. With TLS 1.3 pre-shared key (PSK) a malicious or faulty server c... • https://github.com/wolfSSL/wolfssl • CWE-326: Inadequate Encryption Strength •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-7394
https://notcve.org/view.php?id=CVE-2025-7394
18 Jul 2025 — In the OpenSSL compatibility layer implementation, the function RAND_poll() was not behaving as expected and leading to the potential for predictable values returned from RAND_bytes() after fork() is called. This can lead to weak or predictable random numbers generated in applications that are both using RAND_bytes() and doing fork() operations. This only affects applications explicitly calling RAND_bytes() after fork() and does not affect any internal TLS operations. Although RAND_bytes() documentation in ... • https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md#wolfssl-release-582-july-17-2025 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •