Description
In wolfSSL, ARIA-GCM cipher suites used in TLS 1.2 and DTLS 1.2 reuse an identical 12-byte GCM nonce for every application-data record. Because wc_AriaEncrypt is stateless and passes the caller-supplied IV verbatim to the MagicCrypto SDK with no internal counter, and because the explicit IV is zero-initialized at session setup and never incremented in non-FIPS builds. This vulnerability affects wolfSSL builds configured with --enable-aria and the proprietary MagicCrypto SDK (a non-default, opt-in configuration required for Korean regulatory deployments). AES-GCM is not affected because wc_AesGcmEncrypt_ex maintains an internal invocation counter independently of the call-site guard.
Published: 2026-04-09
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data confidentiality loss
Action: Patch immediately
AI Analysis

Impact

The vulnerability involves ARIA‑GCM cipher suites in wolfSSL for TLS 1.2 and DTLS 1.2 that reuse the same 12‑byte GCM nonce for every application‑data record. Because the encryption routine is stateless and the IV supplied by the caller is not incremented, the same nonce is used repeatedly in non‑FIPS builds that utilize the optional MagicCrypto SDK. This nonce reuse undermines the confidentiality and integrity guarantees of GCM and can allow an attacker who observes multiple encrypted records to recover the key or forge messages.

Affected Systems

Vendors: wolfSSL. Products: wolfSSL library configured with the ARIA cipher suite and the proprietary MagicCrypto SDK, typically used for Korean regulatory deployments. The problem exists in builds where the --enable-aria flag is set and the non‑default SDK is employed. No specific version numbers are provided.

Risk and Exploitability

The vulnerability has a CVSS score of 6, indicating medium severity. No EPSS score is available and it is not listed in the CISA KEV catalog, suggesting that no public exploit has been reported yet. Attackers would need visibility into TLS traffic using the affected cipher suite; the likely vector is a network‑level attacker who can observe or inject records. The risk is therefore moderate, but the compromise of encryption parameters could lead to significant data exposure if exploited.

Generated by OpenCVE AI on April 9, 2026 at 22:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest wolfSSL release that removes nonce reuse or fixes the issue.
  • Disable ARIA‑GCM cipher suites in TLS configuration or remove the MagicCrypto SDK from the build.
  • Switch to AES‑GCM cipher suites, which maintain an internal counter.
  • If using older builds, build wolfSSL with the --disable-aria flag or enforce FIPS mode to ensure nonce incrementation.
  • Verify that TLS libraries are configured to use unique nonces per record.
  • Regularly check wolfSSL advisories for patches.

Generated by OpenCVE AI on April 9, 2026 at 22:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wolfssl:wolfssl:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

Fri, 10 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Wolfssl
Wolfssl wolfssl
Vendors & Products Wolfssl
Wolfssl wolfssl

Thu, 09 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Description In wolfSSL, ARIA-GCM cipher suites used in TLS 1.2 and DTLS 1.2 reuse an identical 12-byte GCM nonce for every application-data record. Because wc_AriaEncrypt is stateless and passes the caller-supplied IV verbatim to the MagicCrypto SDK with no internal counter, and because the explicit IV is zero-initialized at session setup and never incremented in non-FIPS builds. This vulnerability affects wolfSSL builds configured with --enable-aria and the proprietary MagicCrypto SDK (a non-default, opt-in configuration required for Korean regulatory deployments). AES-GCM is not affected because wc_AesGcmEncrypt_ex maintains an internal invocation counter independently of the call-site guard.
Title wolfSSL ARIA-GCM TLS 1.2/DTLS 1.2 GCM nonce reuse
Weaknesses CWE-323
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wolfssl Wolfssl
cve-icon MITRE

Status: PUBLISHED

Assigner: wolfSSL

Published:

Updated: 2026-04-10T18:11:52.759Z

Reserved: 2026-04-02T19:37:56.049Z

Link: CVE-2026-5446

cve-icon Vulnrichment

Updated: 2026-04-10T18:11:48.917Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T21:16:12.980

Modified: 2026-04-29T17:25:21.783

Link: CVE-2026-5446

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:29:06Z

Weaknesses