Description
Use-after-free in PQC hybrid key-share handling. This is an incomplete-fix follow-up to CVE-2026-5460 (released in 5.9.1): a malicious TLS 1.3 server sending a truncated PQC hybrid KeyShare can still trigger the error cleanup path to operate on freed memory.
Published: 2026-06-25
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a use-after-free condition in the handling of hybrid key-shares in PQC mode during a TLS 1.3 handshake. A malicious server that sends a truncated PQC hybrid KeyShare is able to cause the library’s cleanup path to operate on freed memory, which can lead to an application crash or, in the most severe case, memory corruption. The flaw is limited to the TLS handshake and does not provide an immediate path for remote code execution.

Affected Systems

The defect exists in the wolfSSL library for all versions where the PQC hybrid key-share feature is enabled. No specific version release is listed, but the issue was noted as an incomplete-fix follow-up to a prior advisory, implying that earlier releases such as 5.9.1 may still be affected. Users of wolfSSL should check their installed version and apply any available patches.

Risk and Exploitability

The CVSS score of 2.3 rates this flaw as low severity. Because the exploitation requires a malicious TLS server that sends a malformed KeyShare, the attack vector is remote and constrained to TLS traffic. The EPSS score is currently unavailable, and the vulnerability is not in the CISA KEV catalog, indicating a low likelihood of widespread exploitation. Nonetheless, triggering a use-after-free can cause an application crash, potentially leading to denial of service.

Generated by OpenCVE AI on June 25, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest wolfSSL release that contains the fixed handling of PQC hybrid key‑shares.
  • If an upgrade is not immediately possible, configure the wolfSSL library or application to disable PQC hybrid key‑share support, removing the code path that processes the corrupted data.
  • Monitor application logs for crashes or anomalous memory access that could indicate an attempted exploitation.

Generated by OpenCVE AI on June 25, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Wolfssl
Wolfssl wolfssl
Vendors & Products Wolfssl
Wolfssl wolfssl

Thu, 25 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description Use-after-free in PQC hybrid key-share handling. This is an incomplete-fix follow-up to CVE-2026-5460 (released in 5.9.1): a malicious TLS 1.3 server sending a truncated PQC hybrid KeyShare can still trigger the error cleanup path to operate on freed memory.
Title Use-after-free in PQC hybrid key-share handling
Weaknesses CWE-416
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Wolfssl Wolfssl
cve-icon MITRE

Status: PUBLISHED

Assigner: wolfSSL

Published:

Updated: 2026-06-25T20:01:16.991Z

Reserved: 2026-04-30T17:58:26.743Z

Link: CVE-2026-7531

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T01:00:05Z

Weaknesses