CVE-2026-3849

/* * PoC Concept for CVE-2026-3849 * This snippet demonstrates the vulnerable condition. * Triggering this requires a wolfSSL client compiled with --enable-ech * connecting to a server that sends a maliciously large ECH config. */ #include <stdio.h> #include <string.h> #include <wolfssl/ssl.h> void simulate_malicious_ech_config() { // This represents the oversized ECH config sent by a malicious server unsigned char oversized_ech_config[2048]; memset(oversized_ech_config, 0x41, sizeof(oversized_ech_config)); // In a real exploitation scenario, this data is sent during the TLS handshake // The client receives it and passes it to the vulnerable function printf("Simulating reception of oversized ECH config (%zu bytes)\n", sizeof(oversized_ech_config)); // The vulnerability occurs in wc_HpkeLabeledExtract when processing this buffer // without proper bounds checking, leading to a stack-based buffer overflow. // Vulnerable call context: // wc_HpkeLabeledExtract(..., oversized_ech_config, sizeof(oversized_ech_config)); } int main() { printf("CVE-2026-3849 PoC Simulation\n"); simulate_malicious_ech_config(); return 0; }

{"cve": {"id": "CVE-2026-3849", "sourceIdentifier": "[email protected]", "published": "2026-03-19T21:17:13.407", "lastModified": "2026-03-26T18:20:36.580", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Stack Buffer Overflow in wc_HpkeLabeledExtract via Oversized ECH Config. A vulnerability existed in wolfSSL 5.8.4 ECH (Encrypted Client Hello) support, where a maliciously crafted ECH config could cause a stack buffer overflow on the client side, leading to potential remote execution and client program crash. This could be exploited by a malicious TLS server supporting ECH. Note that ECH is off by default, and is only enabled with enable-ech."}, {"lang": "es", "value": "Desbordamiento de búfer de pila en wc_HpkeLabeledExtract a través de una configuración ECH sobredimensionada. Existía una vulnerabilidad en el soporte ECH (Encrypted Client Hello) de wolfSSL 5.8.4, donde una configuración ECH creada maliciosamente podría causar un desbordamiento de búfer de pila en el lado del cliente, lo que podría llevar a una ejecución remota potencial y a un fallo del programa del cliente. Esto podría ser explotado por un servidor TLS malicioso que soporte ECH. Tenga en cuenta que ECH está desactivado por defecto y solo se habilita con enable-ech."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:D/RE:M/U:Amber", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "DIFFUSE", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "AMBER"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wolfssl:wolfssl:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6.0", "versionEndExcluding": "5.9.0", "matchCriteriaId": "2D7DB269-3D15-4DD9-B47E-2A94CC36BE3E"}]}]}], "references": [{"url": "https://github.com/wolfSSL/wolfssl/pull/9737", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}]}}