Primary

Context

wolfSSL TLS 1.3 Post-Quantum Cryptography Hybrid KeyShare Heap Use-After-Free Vulnerability

Vulnerability

Patched

A heap use-after-free vulnerability has been identified in wolfSSL's TLS 1.3 post-quantum cryptography hybrid KeyShare processing. The issue arises in the error handling path of the function TLSX_KeyShare_ProcessPqcHybridClient(), where a KyberKey object is freed upon encountering an error. Subsequently, the caller invokes TLSX_KeyShare_FreeAll(), which attempts to access the already-freed KyberKey, leading to unauthorized writes over freed heap memory.

Impact

Exploitation of this vulnerability can lead to a heap use-after-free condition, allowing for potential memory corruption.

Remediation

Users are advised to update to the latest version of wolfSSL, where this vulnerability has been addressed.

Added: Apr 10, 2026, 2:00 AM

Updated: Apr 10, 2026, 2:00 AM

Vulnerability Rating

Custom Algorithm

spread

6.6

impact

0.6

exploitability

5.3

remediation

7.7

relevance

5.6

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.6

impact

0.6

exploitability

5.3

remediation

7.7

relevance

5.6

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

wolfSSL TLS 1.3 Post-Quantum Cryptography Hybrid KeyShare Heap Use-After-Free Vulnerability

Vulnerability

Impact

Remediation

Affected Products

wolfSSL

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating