A vulnerable implementation of the ECH (Encrypted Client Hello) extension in TLS 1.3 gives rise to an integer underflow when determining the size of a buffer required to parse an ECH payload. The underflow causes the calculated buffer length to be smaller than the actual data processed, leading to a write beyond the allocated memory bounds. This type of flaw can corrupt adjacent memory structures and potentially allow an attacker to influence program control flow, crash the application, or execute arbitrary code. The weakness is categorized as CWE-122, reflecting a classic heap-based buffer overflow.\n

The flaw is present in the wolfSSL library, a widely used TLS/SSL implementation. The ECH extension handling is disabled by default in wolfSSL; however, systems that have enabled or plan to enable ECH are affected. No specific vulnerable version numbers are listed in the advisory, so any build of wolfSSL that has not incorporated the pull request correcting this issue remains impacted.\n

The CVSS score of 8.3 marks the vulnerability as High, indicating significant risk when it is exploitable. Epistemic probability analysis shows an EPSS score of less than 1%, suggesting that, at present, the overall likelihood of exploitation in the wild is low. The vulnerability has not been catalogued in CISA’s Known Exploited Vulnerabilities list. Exploitation would require an attacker to initiate a TLS 1.3 connection with an ECH payload that triggers the integer underflow; thus the attack vector is network-based, specifically through crafted TLS traffic. The exploit would need to reach the vulnerable code path in the library before any mitigations such as security hardening or runtime defenses can intervene.}\n