CVE-2026-2645

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-2645

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2645.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-2645

Downstream

DEBIAN-CVE-2026-2645

UBUNTU-CVE-2026-2645

Published

2026-03-19T18:16:22.043Z

Modified

2026-04-10T05:36:58.769346Z

Severity

5.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Summary

[none]

Details

In wolfSSL 5.8.2 and earlier, a logic flaw existed in the TLS 1.2 server state machine implementation. The server could incorrectly accept the CertificateVerify message before the ClientKeyExchange message had been received. This issue affects wolfSSL before 5.8.4 (wolfSSL 5.8.2 and earlier is vulnerable, 5.8.4 is not vulnerable). In 5.8.4 wolfSSL would detect the issue later in the handshake. 5.9.0 was further hardened to catch the issue earlier in the handshake.

References

https://github.com/wolfSSL/wolfssl/pull/9694

Affected packages

Git / github.com/wolfSSL/wolfssl

Affected ranges

Type

GIT

Repo

https://github.com/wolfSSL/wolfssl

Events

Introduced

Fixed

59f4fa568615396fbf381b073b220d1e8d61e4c2

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "5.8.4"
        }
    ]
}

Affected versions

Other

WCv4-rng-stable

list

wolfEntropy1

WCv5.*

WCv5.0-RC10

WCv5.0-RC11

WCv5.0-RC12

WCv5.0-RC9

v0.*

v0.5

v1.*

v1.8.8.0

v1.9.0

v2.*

v2.0.2

v2.0.3

v2.0.6

v2.0.8

v2.0rc1

v2.0rc2

v2.0rc2b

v2.0rc3

v2.4.2

v2.4.6

v2.4.7

v2.6.0

v2.6.2

v2.7.0

v2.7.2

v2.8.0

v2.8.2

v2.8.3

v2.8.4

v2.8.5

v2.8.5a

v2.8.6

v2.9.0

v2.9.1

v2.9.2

v2.9.4

v3.*

v3.10.0-stable

v3.10.0a

v3.10.2-stable

v3.10.3

v3.11.0-stable

v3.11.1-tls13-beta

v3.12.0-stable

v3.12.2-stable

v3.13.0-stable

v3.13.2

v3.13.3

v3.14.0-stable

v3.14.0a

v3.14.0b

v3.14.2

v3.14.4

v3.15.0-stable

v3.15.3-stable

v3.15.5-stable

v3.15.5a

v3.15.6

v3.15.7-stable

v3.2.0

v3.2.4

v3.2.6

v3.3.0

v3.3.3

v3.4.0

v3.4.2

v3.4.6

v3.6.8

v3.6.9

v3.7.0

v3.7.1

v3.7.3

v3.8.0

v3.9.0

v3.9.1

v3.9.10-stable

v3.9.10b

v3.9.6

v3.9.6w

v3.9.8

v4.*

v4.0.0-stable

v4.1.0-stable

v4.2.0-stable

v4.2.0c

v4.3.0-stable

v4.4.0-stable

v4.5.0-stable

v4.6.0-stable

v4.7.0-stable

v4.7.1r

v4.8.0-stable

v5.*

v5.0.0-stable

v5.1.0-stable

v5.2.0-stable

v5.2.1

v5.3.0-stable

v5.4.0-stable

v5.5.0-stable

v5.5.1-stable

v5.5.2-stable

v5.5.3-stable

v5.5.4-stable

v5.6.0-stable

v5.6.2-stable

v5.6.3-stable

v5.6.4-stable

v5.6.6-stable

v5.7.0-stable

v5.7.2-stable

v5.7.4-stable

v5.7.6-stable

v5.8.0-stable

v5.8.2-stable

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2645.json"