NIXPKGS-2026-0700

GitHub issue published on 23 Mar 2026

Permalink CVE-2026-3230

updated 6 days, 6 hours ago by @LeSuisse Activity log

Created automatic suggestion 1 week, 2 days ago
@LeSuisse accepted 6 days, 6 hours ago
@LeSuisse published on GitHub 6 days, 6 hours ago

Improper key_share validation in TLS 1.3 HelloRetryRequest

Missing required cryptographic step in the TLS 1.3 client HelloRetryRequest handshake logic in wolfSSL could lead to a compromise in the confidentiality of TLS-protected communications via a crafted HelloRetryRequest followed by a ServerHello message that omits the required key_share extension, resulting in derivation of predictable traffic secrets from (EC)DHE shared secret. This issue does not affect the client's authentication of the server during TLS handshakes.

References

https://github.com/wolfSSL/wolfssl/pull/9754

Affected products

wolfSSL

<5.9.0

Matching in nixpkgs

pkgs.wolfssl

Small, fast, portable implementation of TLS/SSL for embedded devices

nixos-unstable 5.8.4
- nixpkgs-unstable 5.8.4
- nixos-unstable-small 5.8.4
nixos-25.11 5.8.4
- nixos-25.11-small 5.8.4
- nixpkgs-25.11-darwin 5.8.4

Package maintainers

@vifino Adrian Pistol <vifino@tty.sh>
@fabaff Fabian Affolter <mail@fabian-affolter.ch>

Upstream patch: https://github.com/wolfSSL/wolfssl/commit/f810dc2a017b0e95f755740cb37c8884345c4de7

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0700

References

Affected products

Matching in nixpkgs

pkgs.wolfssl

Package maintainers