Description
AES-GCM encryption/decryption with extremely large cumulative single message sizes (>64 GiB) were not properly rejected by the streaming APIs, allowing counter wrap, keystream reuse, and consequent plaintext recovery.
Published: 2026-06-25
Score: 2 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

AES‑GCM streaming APIs in wolfSSL failed to enforce a maximum cumulative message size of 64 GiB, allowing the counter to wrap. This counter reuse leads to repeated keystream blocks, enabling an attacker to recover the plaintext of the compromised data stream. The weakness is classified as CWE‑323, representing inadequate encryption strength. The consequence is the loss of data confidentiality, with no direct impact on integrity or availability.

Affected Systems

The affected product is wolfSSL, specifically the streaming API implementation. No version information is provided in the advisory; organizations should verify the installed version against the vendor’s release notes to determine applicability.

Risk and Exploitability

The CVSS score of 2 indicates a low severity impact. EPSS is not available, suggesting limited known exploitation activity, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a scenario where an adversary orchestrates the transmission of a cumulative message exceeding 64 GiB over the vulnerable streaming API. Based on the description, it is inferred that such a large cumulative message can force the counter to wrap, leading to keystream reuse. The low CVSS and lack of known exploits imply a moderate overall risk, but organizations that handle very large data streams should consider the potential for plaintext recovery if the counter wrap occurs.

Generated by OpenCVE AI on June 25, 2026 at 19:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade wolfSSL to a patched version that rejects cumulative messages over 64 B; consult the vendor’s security advisory or apply the patch referenced in the pull request.
  • If an upgrade is not immediately possible, modify the application to detect and reject any cumulative message size that exceeds 64 GiB before it is transmitted through the streaming API.
  • Continuously monitor network traffic and application logs for unusually large data streams that could indicate attempts to trigger counter wrap, and enforce rate limiting or size caps at the application layer.

Generated by OpenCVE AI on June 25, 2026 at 19:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4683-1 wolfssl security update
History

Thu, 25 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Wolfssl
Wolfssl wolfssl
Vendors & Products Wolfssl
Wolfssl wolfssl

Thu, 25 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description AES-GCM encryption/decryption with extremely large cumulative single message sizes (>64 GiB) were not properly rejected by the streaming APIs, allowing counter wrap, keystream reuse, and consequent plaintext recovery.
Title AES-GCM streaming APIs do not reject >64 GiB cumulative single messages, enabling counter wrap and keystream reuse
Weaknesses CWE-323
References
Metrics cvssV4_0

{'score': 2, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: wolfSSL

Published:

Updated: 2026-06-25T17:57:09.838Z

Reserved: 2026-06-17T22:11:03.531Z

Link: CVE-2026-55967

cve-icon Vulnrichment

Updated: 2026-06-25T17:57:06.377Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T21:30:11Z

Weaknesses
  • CWE-323

    Reusing a Nonce, Key Pair in Encryption