CVE-2026-11703
Received Received - Intake
TLS Session Resumption SNI/ALPN Binding Bypass

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: wolfSSL Inc.

Description
Missing SNI/ALPN binding on stateful (session-ID) resumption, which previously skipped the binding check performed for ticket-based resumption. A cached session could be resumed under a different SNI/ALPN than originally negotiated and, where client-authentication policy differs across virtual hosts, carry the cached peer-authentication state into a context it was not established for. Resumption now verifies the SNI/ALPN binding for all paths and declines (falling back to a full handshake) on mismatch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-11703
EUVD
EUVD-2026-39576
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wolfssl wolfssl *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves a missing Server Name Indication (SNI) and Application-Layer Protocol Negotiation (ALPN) binding during stateful (session-ID) resumption in TLS connections. Previously, the binding check was only performed for ticket-based resumption, allowing a cached session to be resumed under a different SNI or ALPN than originally negotiated.

As a result, if client-authentication policies differ across virtual hosts, the cached peer-authentication state could be carried into a context it was not intended for. The fix ensures that resumption verifies the SNI/ALPN binding for all resumption paths and declines resumption (falling back to a full handshake) if there is a mismatch.

Impact Analysis

This vulnerability can allow a cached TLS session to be resumed under a different server name or protocol than originally negotiated. If client-authentication policies vary between virtual hosts, this could lead to unauthorized reuse of authentication states in unintended contexts.

Such behavior might enable attackers to bypass certain authentication restrictions or gain access to resources by exploiting the incorrect session resumption, potentially compromising the security of communications.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11703. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart