CVE-2025-11935
BaseFortify
Publication date: 2025-11-21
Last updated on: 2025-12-03
Assigner: wolfSSL Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wolfssl | wolfssl | From 5.8.2 (inc) to 5.8.4 (exc) |
| apple | macos | * |
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-326 | The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in TLS 1.3 when using pre-shared keys (PSK). A malicious or faulty server can ignore the client's request for perfect forward secrecy (PFS) by responding without the required key_share extension. As a result, the client continues the connection using PSK without PFS, which reduces the security of the connection by reusing an authenticated PSK connection that unexpectedly lacks PFS.
How can this vulnerability impact me? :
The vulnerability reduces the security of TLS 1.3 connections by allowing a server to bypass perfect forward secrecy when using pre-shared keys. This means that the confidentiality of past communications could be compromised if the PSK is later exposed, as the connection does not have the additional protection of PFS.