CVE-2026-11703

Source
https://cve.org/CVERecord?id=CVE-2026-11703
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-11703.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-11703
Downstream
Published
2026-06-25T21:15:20.576Z
Modified
2026-07-16T03:48:15.492760727Z
Severity
  • 6.0 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Missing SNI/ALPN binding on stateful (session-ID) TLS session resumption
Details

Missing SNI/ALPN binding on stateful (session-ID) resumption, which previously skipped the binding check performed for ticket-based resumption. A cached session could be resumed under a different SNI/ALPN than originally negotiated and, where client-authentication policy differs across virtual hosts, carry the cached peer-authentication state into a context it was not established for. Resumption now verifies the SNI/ALPN binding for all paths and declines (falling back to a full handshake) on mismatch.

Database specific
{
    "cwe_ids": [
        "CWE-287"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/11xxx/CVE-2026-11703.json",
    "cna_assigner": "wolfSSL"
}
References

Affected packages

Git / github.com/wolfssl/wolfssl

Affected ranges

Type
GIT
Repo
https://github.com/wolfssl/wolfssl
Events
Database specific
{
    "cpe": "cpe:2.3:a:wolfssl:wolfssl:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "3.15.0"
        },
        {
            "last_affected": "5.9.1"
        },
        {
            "fixed": "5.9.2"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ]
}

Affected versions

Other
WCv4-rng-stable
l
list
wolfEntropy1
wolfEntropy2d
WCv5.*
WCv5.0-RC10
WCv5.0-RC11
WCv5.0-RC12
WCv5.0-RC9
v3.*
v3.15.0-stable
v3.15.3-stable
v3.15.5-stable
v3.15.5a
v3.15.6
v3.15.7-stable
v4.*
v4.0.0-stable
v4.1.0-stable
v4.2.0-stable
v4.2.0c
v4.3.0-stable
v4.4.0-stable
v4.5.0-stable
v4.6.0-stable
v4.7.0-stable
v4.7.1r
v4.8.0-stable
v5.*
v5.0.0-stable
v5.1.0-stable
v5.2.0-stable
v5.2.1
v5.3.0-stable
v5.4.0-stable
v5.5.0-stable
v5.5.1-stable
v5.5.2-stable
v5.5.3-stable
v5.5.4-stable
v5.6.0-stable
v5.6.2-stable
v5.6.3-stable
v5.6.4-stable
v5.6.6-stable
v5.7.0-stable
v5.7.2-stable
v5.7.4-stable
v5.7.6-stable
v5.8.0-stable
v5.8.2-stable
v5.8.4-stable
v5.9.0-stable
v5.9.1-stable

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-11703.json"