CVE-2026-3549
Heap Overflow in wolfSSL TLS 1.3 ECH Parsing
Publication date: 2026-03-19
Last updated on: 2026-03-26
Assigner: wolfSSL Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wolfssl | wolfssl | to 5.9.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a heap overflow in the TLS 1.3 Encrypted ClientHello (ECH) parsing within the wolfSSL library. It occurs due to an integer underflow when calculating a buffer length during ECH extension parsing. Specifically, subtracting the AES block size from an attacker-controlled length value without proper bounds checking causes the length to underflow for small values (0β15). This underflow leads to writing beyond the allocated buffer boundaries, resulting in a heap buffer overflow.
In wolfSSL, ECH is off by default and the ECH standard is still evolving. The issue was identified and fixed by adding bounds checks to reject too-small values, preventing the underflow and subsequent memory corruption.
How can this vulnerability impact me? :
This vulnerability can lead to memory safety issues such as heap buffer overflows and buffer over-reads during TLS 1.3 ECH parsing. Exploiting this flaw could allow an attacker to cause a crash or potentially execute arbitrary code within the context of the affected application using wolfSSL.
Since the vulnerability involves parsing attacker-controlled data without proper validation, it could be leveraged to compromise the security and stability of applications relying on wolfSSL for TLS communications.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability involves a heap overflow in TLS 1.3 ECH parsing due to an integer underflow when calculating buffer length. Detection would require monitoring for malformed or suspicious TLS 1.3 Encrypted ClientHello (ECH) messages that could trigger this condition.
Since wolfSSL has ECH off by default and the ECH standard is still evolving, detection might involve capturing TLS 1.3 handshake traffic and analyzing the ECH extension fields for abnormal lengths or malformed data.
No specific detection commands or tools are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves updating the wolfSSL library to the fixed version that includes the patch for CVE-2026-3549.
The fix adds bounds checking to reject too-small ECH innerClientHelloLen values, preventing the integer underflow and subsequent heap overflow.
Additionally, since ECH is off by default in wolfSSL, disabling ECH if enabled can reduce exposure until the patch is applied.