CVE-2026-5446
Received Received - Intake
GCM Nonce Reuse in wolfSSL ARIA-GCM Enables Ciphertext Replay

Publication date: 2026-04-09

Last updated on: 2026-04-29

Assigner: wolfSSL Inc.

Description
In wolfSSL, ARIA-GCM cipher suites used in TLS 1.2 and DTLS 1.2 reuse an identical 12-byte GCM nonce for every application-data record. Because wc_AriaEncrypt is stateless and passes the caller-supplied IV verbatim to the MagicCrypto SDK with no internal counter, and because the explicit IV is zero-initialized at session setup and never incremented in non-FIPS builds. This vulnerability affects wolfSSL builds configured with --enable-aria and the proprietary MagicCrypto SDK (a non-default, opt-in configuration required for Korean regulatory deployments). AES-GCM is not affected because wc_AesGcmEncrypt_ex maintains an internal invocation counter independently of the call-site guard.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-14
NVD
CVE-2026-5446
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wolfssl wolfssl From 5.2.1 (inc) to 5.9.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-323 Nonces should be used for the present occasion and only once.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

Reusing the same GCM nonce for multiple encrypted records can severely weaken the security of the encrypted communication. It can allow attackers to perform cryptographic attacks that may lead to the recovery of plaintext data or compromise the confidentiality and integrity of the communication. This undermines the protection provided by TLS/DTLS and could expose sensitive information transmitted over the network.

Executive Summary

This vulnerability exists in wolfSSL when using ARIA-GCM cipher suites with TLS 1.2 and DTLS 1.2. The issue is that the 12-byte GCM nonce, which should be unique for each encrypted record, is reused identically for every application-data record. This happens because the encryption function wc_AriaEncrypt is stateless and directly uses the caller-supplied IV without incrementing it. Additionally, the explicit IV is zero-initialized at session setup and never incremented in non-FIPS builds. This flaw affects wolfSSL builds configured with --enable-aria and the proprietary MagicCrypto SDK, which is an opt-in configuration mainly for Korean regulatory deployments.

Compliance Impact

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5446. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart