CVE-2022-23408

wolfSSL 5.x before 5.1.1 uses non-random IV values in certain situations. This affects connections (without AEAD) using AES-CBC or DES3 with TLS 1.1 or 1.2 or DTLS 1.1 or 1.2. This occurs because of misplaced memory initialization in BuildMessage in internal.c.

References

Affected packages

Git / github.com/wolfssl/wolfssl

Affected ranges

Type

GIT

Repo

https://github.com/wolfssl/wolfssl

Events

Introduced

7e01af012157bc20c840011a018619915380f05c

Fixed

c3513bf2573c30f6d2df815de216120e92142020

Database specific

{
    "versions": [
        {
            "introduced": "5.0.0"
        },
        {
            "fixed": "5.1.1"
        }
    ]
}

Affected versions

WCv5.*

WCv5.0-RC10

WCv5.0-RC11

WCv5.0-RC12

v5.*

v5.0.0-stable

v5.1.0-stable

Database specific

vanir_signatures

[
    {
        "signature_type": "Line",
        "source": "https://github.com/wolfssl/wolfssl/commit/c3513bf2573c30f6d2df815de216120e92142020",
        "signature_version": "v1",
        "target": {
            "file": "wolfssl/wolfcrypt/types.h"
        },
        "id": "CVE-2022-23408-70232f27",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "200590224686773621064818426051680514278",
                "73842892001327371820861045504044856872",
                "180370452298823710791418685500416112741",
                "232453673344828506816027349836980723411"
            ],
            "threshold": 0.9
        }
    }
]

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-23408.json"

vanir_signatures_modified

"2026-04-11T22:13:38Z"