CVE-2026-3549
Received Received - Intake
Heap Overflow in wolfSSL TLS 1.3 ECH Parsing

Publication date: 2026-03-19

Last updated on: 2026-03-26

Assigner: wolfSSL Inc.

Description
Heap Overflow in TLS 1.3 ECH parsing. An integer underflow existed in ECH extension parsing logic when calculating a buffer length, which resulted in writing beyond the bounds of an allocated buffer. Note that in wolfSSL, ECH is off by default, and the ECH standard is still evolving.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3549
EUVD
EUVD-2026-13168
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wolfssl wolfssl to 5.9.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a heap overflow in the TLS 1.3 Encrypted ClientHello (ECH) parsing within the wolfSSL library. It occurs due to an integer underflow when calculating a buffer length during ECH extension parsing. Specifically, subtracting the AES block size from an attacker-controlled length value without proper bounds checking causes the length to underflow for small values (0–15). This underflow leads to writing beyond the allocated buffer boundaries, resulting in a heap buffer overflow.

In wolfSSL, ECH is off by default and the ECH standard is still evolving. The issue was identified and fixed by adding bounds checks to reject too-small values, preventing the underflow and subsequent memory corruption.

Impact Analysis

This vulnerability can lead to memory safety issues such as heap buffer overflows and buffer over-reads during TLS 1.3 ECH parsing. Exploiting this flaw could allow an attacker to cause a crash or potentially execute arbitrary code within the context of the affected application using wolfSSL.

Since the vulnerability involves parsing attacker-controlled data without proper validation, it could be leveraged to compromise the security and stability of applications relying on wolfSSL for TLS communications.

Compliance Impact

I don't know

Detection Guidance

The vulnerability involves a heap overflow in TLS 1.3 ECH parsing due to an integer underflow when calculating buffer length. Detection would require monitoring for malformed or suspicious TLS 1.3 Encrypted ClientHello (ECH) messages that could trigger this condition.

Since wolfSSL has ECH off by default and the ECH standard is still evolving, detection might involve capturing TLS 1.3 handshake traffic and analyzing the ECH extension fields for abnormal lengths or malformed data.

No specific detection commands or tools are provided in the available resources.

Mitigation Strategies

Immediate mitigation involves updating the wolfSSL library to the fixed version that includes the patch for CVE-2026-3549.

The fix adds bounds checking to reject too-small ECH innerClientHelloLen values, preventing the integer underflow and subsequent heap overflow.

Additionally, since ECH is off by default in wolfSSL, disabling ECH if enabled can reduce exposure until the patch is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3549. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart