CVE-2026-3549 — Vulnetix

CVE-2026-3549 PUBLISHED CVSS 8.300000190734863 HIGH

Heap Overflow in TLS 1.3 ECH parsing. An integer underflow existed in ECH extension parsing logic when calculating a buffer length, which resulted in writing beyond the bounds of an allocated buffer. Note that in wolfSSL, ECH is off by default, and the ECH standard is still evolving.

EPSS 0.03% · 8.2th percentile

Risk Scores

CVSS v4.0

8.300000190734863

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:L/SI:L/SA:L

EPSS Score

0.03%

8.2th percentile

Affected Products

Vendor	Product	Versions
wolfssl	wolfssl	0, 0, 0
wofSSL	wolfSSL	0, 0, 0

Timeline

Mar 19, 2026 CVE Published
Mar 19, 2026 PoC Published
Mar 20, 2026 EPSS Score
Mar 20, 2026 Coalition ESS Score
Mar 21, 2026 EPSS Score
Mar 21, 2026 Coalition ESS Score
Mar 22, 2026 EPSS Score
Mar 23, 2026 EPSS Score
Mar 24, 2026 EPSS Score
Mar 24, 2026 CVE Updated
Mar 25, 2026 EPSS Score
Mar 29, 2026 Security Advisory

References

https://github.com/wolfSSL/wolfssl/pull/9817 url
https://nvd.nist.gov/vuln/detail/CVE-2026-3549 advisory

Open in Interactive Console →