CVE-2026-3849

Stack Buffer Overflow in wc_HpkeLabeledExtract via Oversized ECH Config. A vulnerability existed in wolfSSL 5.8.4 ECH (Encrypted Client Hello) support, where a maliciously crafted ECH config could cause a stack buffer overflow on the client side, leading to potential remote execution and client program crash. This could be exploited by a malicious TLS server supporting ECH. Note that ECH is off by default, and is only enabled with enable-ech.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/wolfSSL/wolfssl/pull/9737	Issue Tracking Patch

Configurations

Configuration 1 (hide)

cpe:2.3:a:wolfssl:wolfssl:*:*:*:*:*:*:*:*

History

26 Mar 2026, 18:20

Type	Values Removed	Values Added
CPE		cpe:2.3:a:wolfssl:wolfssl::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
References	~~() https://github.com/wolfSSL/wolfssl/pull/9737 -~~	() https://github.com/wolfSSL/wolfssl/pull/9737 - Issue Tracking, Patch
Summary		(es) Desbordamiento de búfer de pila en wc_HpkeLabeledExtract a través de una configuración ECH sobredimensionada. Existía una vulnerabilidad en el soporte ECH (Encrypted Client Hello) de wolfSSL 5.8.4, donde una configuración ECH creada maliciosamente podría causar un desbordamiento de búfer de pila en el lado del cliente, lo que podría llevar a una ejecución remota potencial y a un fallo del programa del cliente. Esto podría ser explotado por un servidor TLS malicioso que soporte ECH. Tenga en cuenta que ECH está desactivado por defecto y solo se habilita con enable-ech.
First Time		Wolfssl Wolfssl wolfssl

19 Mar 2026, 21:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-19 21:17

Updated : 2026-03-26 18:20

NVD link : CVE-2026-3849

Mitre link : CVE-2026-3849

CVE.ORG link : CVE-2026-3849

JSON object : View

Products Affected

wolfssl

wolfssl

CWE

CWE-787

Out-of-bounds Write

{"id": "CVE-2026-3849", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "facts@wolfssl.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:D/RE:M/U:Amber", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "AMBER", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "MODERATE", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-19T21:17:13.407", "references": [{"url": "https://github.com/wolfSSL/wolfssl/pull/9737", "tags": ["Issue Tracking", "Patch"], "source": "facts@wolfssl.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "facts@wolfssl.com", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "Stack Buffer Overflow in wc_HpkeLabeledExtract via Oversized ECH Config. A vulnerability existed in wolfSSL 5.8.4 ECH (Encrypted Client Hello) support, where a maliciously crafted ECH config could cause a stack buffer overflow on the client side, leading to potential remote execution and client program crash. This could be exploited by a malicious TLS server supporting ECH. Note that ECH is off by default, and is only enabled with enable-ech."}, {"lang": "es", "value": "Desbordamiento de b\u00fafer de pila en wc_HpkeLabeledExtract a trav\u00e9s de una configuraci\u00f3n ECH sobredimensionada. Exist\u00eda una vulnerabilidad en el soporte ECH (Encrypted Client Hello) de wolfSSL 5.8.4, donde una configuraci\u00f3n ECH creada maliciosamente podr\u00eda causar un desbordamiento de b\u00fafer de pila en el lado del cliente, lo que podr\u00eda llevar a una ejecuci\u00f3n remota potencial y a un fallo del programa del cliente. Esto podr\u00eda ser explotado por un servidor TLS malicioso que soporte ECH. Tenga en cuenta que ECH est\u00e1 desactivado por defecto y solo se habilita con enable-ech."}], "lastModified": "2026-03-26T18:20:36.580", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wolfssl:wolfssl:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2D7DB269-3D15-4DD9-B47E-2A94CC36BE3E", "versionEndExcluding": "5.9.0", "versionStartIncluding": "5.6.0"}], "operator": "OR"}]}], "sourceIdentifier": "facts@wolfssl.com"}