CVE-2026-5446
GCM Nonce Reuse in wolfSSL ARIA-GCM Enables Ciphertext Replay
Publication date: 2026-04-09
Last updated on: 2026-04-29
Assigner: wolfSSL Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wolfssl | wolfssl | From 5.2.1 (inc) to 5.9.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-323 | Nonces should be used for the present occasion and only once. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
Reusing the same GCM nonce for multiple encrypted records can severely weaken the security of the encrypted communication. It can allow attackers to perform cryptographic attacks that may lead to the recovery of plaintext data or compromise the confidentiality and integrity of the communication. This undermines the protection provided by TLS/DTLS and could expose sensitive information transmitted over the network.
Can you explain this vulnerability to me?
This vulnerability exists in wolfSSL when using ARIA-GCM cipher suites with TLS 1.2 and DTLS 1.2. The issue is that the 12-byte GCM nonce, which should be unique for each encrypted record, is reused identically for every application-data record. This happens because the encryption function wc_AriaEncrypt is stateless and directly uses the caller-supplied IV without incrementing it. Additionally, the explicit IV is zero-initialized at session setup and never incremented in non-FIPS builds. This flaw affects wolfSSL builds configured with --enable-aria and the proprietary MagicCrypto SDK, which is an opt-in configuration mainly for Korean regulatory deployments.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.