CVE-2026-3230
Received Received - Intake
Predictable TLS Secrets in wolfSSL TLS 1.3 HelloRetryRequest

Publication date: 2026-03-19

Last updated on: 2026-03-26

Assigner: wolfSSL Inc.

Description
Missing required cryptographic step in the TLS 1.3 client HelloRetryRequest handshake logic in wolfSSL could lead to a compromise in the confidentiality of TLS-protected communications via a crafted HelloRetryRequest followed by a ServerHello message that omits the required key_share extension, resulting in derivation of predictable traffic secrets from (EC)DHE shared secret. This issue does not affect the client's authentication of the server during TLS handshakes.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3230
EUVD
EUVD-2026-13209
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wolfssl wolfssl to 5.9.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in wolfSSL involves a missing required cryptographic step during the TLS 1.3 client HelloRetryRequest handshake. Specifically, a crafted HelloRetryRequest followed by a ServerHello message that omits the required key_share extension can cause the derivation of predictable traffic secrets from the (EC)DHE shared secret.

As a result, the confidentiality of TLS-protected communications can be compromised because the traffic secrets become predictable. However, this issue does not affect the client's ability to authenticate the server during the TLS handshake.

Impact Analysis

The vulnerability can impact you by compromising the confidentiality of your TLS-protected communications. An attacker who exploits this flaw can potentially predict traffic secrets, which undermines the security guarantees of TLS 1.3.

This could lead to exposure of sensitive data transmitted over the network, as the encryption keys used to protect the communication become predictable due to the missing key_share extension in the handshake.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, update wolfSSL to a version that includes the fix for CVE-2026-3230.

The fix involves adding a verification step to ensure the presence of the KeyShare extension in the ServerHello message during the TLS handshake, preventing the derivation of predictable traffic secrets.

This fix was merged into the wolfSSL master branch on February 10, 2026, so applying the latest wolfSSL updates or patches after this date will address the issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3230. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart