JLSEC-2026-672

Source
https://github.com/JuliaLang/SecurityAdvisories.jl/blob/main/advisories/published/2026/JLSEC-2026-672.md
Import Source
https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-672.json
JSON Data
https://api.osv.dev/v1/vulns/JLSEC-2026-672
Upstream
Published
2026-07-14T21:41:35.775Z
Modified
2026-07-18T00:00:59.670743523Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

An issue was discovered in wolfSSL before 5.5.0. When a TLS 1.3 client connects to a wolfSSL server and SSLclear is called on its session, the server crashes with a segmentation fault. This occurs in the second session, which is created through TLS session resumption and reuses the initial struct WOLFSSL. If the server reuses the previous session structure (struct WOLFSSL) by calling wolfSSLclear(WOLFSSL* ssl) on it, the next received Client Hello (that resumes the previous session) crashes the server. Note that this bug is only triggered when resuming sessions using TLS session resumption. Only servers that use wolfSSLclear instead of the recommended SSLfree; SSLnew sequence are affected. Furthermore, wolfSSLclear is part of wolfSSL's compatibility layer and is not enabled by default. It is not part of wolfSSL's native API.

Database specific
{
    "sources": [
        {
            "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2022-38152",
            "html_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38152",
            "modified": "2026-06-17T04:56:12.137Z",
            "id": "CVE-2022-38152",
            "imported": "2026-07-17T22:23:05.187Z",
            "published": "2022-08-31T17:15:08.297Z",
            "database_specific": {
                "status": "Modified"
            }
        }
    ],
    "license": "CC-BY-4.0"
}
References

Affected packages

Julia / wolfSSL_jll

Package

Name
wolfSSL_jll
Purl
pkg:julia/wolfSSL_jll?uuid=98c43586-9870-5ae5-ab22-acc77b9bbdb5

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.7.2+0

Database specific

source
"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-672.json"