CVE-2026-3230
Predictable TLS Secrets in wolfSSL TLS 1.3 HelloRetryRequest
Publication date: 2026-03-19
Last updated on: 2026-03-26
Assigner: wolfSSL Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wolfssl | wolfssl | to 5.9.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in wolfSSL involves a missing required cryptographic step during the TLS 1.3 client HelloRetryRequest handshake. Specifically, a crafted HelloRetryRequest followed by a ServerHello message that omits the required key_share extension can cause the derivation of predictable traffic secrets from the (EC)DHE shared secret.
As a result, the confidentiality of TLS-protected communications can be compromised because the traffic secrets become predictable. However, this issue does not affect the client's ability to authenticate the server during the TLS handshake.
How can this vulnerability impact me? :
The vulnerability can impact you by compromising the confidentiality of your TLS-protected communications. An attacker who exploits this flaw can potentially predict traffic secrets, which undermines the security guarantees of TLS 1.3.
This could lead to exposure of sensitive data transmitted over the network, as the encryption keys used to protect the communication become predictable due to the missing key_share extension in the handshake.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update wolfSSL to a version that includes the fix for CVE-2026-3230.
The fix involves adding a verification step to ensure the presence of the KeyShare extension in the ServerHello message during the TLS handshake, preventing the derivation of predictable traffic secrets.
This fix was merged into the wolfSSL master branch on February 10, 2026, so applying the latest wolfSSL updates or patches after this date will address the issue.