CVE-2026-4395 — Vulnetix

CVE-2026-4395 PUBLISHED CVSS 1.2999999523162842 LOW

Heap-based buffer overflow in the KCAPI ECC code path of wc_ecc_import_x963_ex() in wolfSSL wolfcrypt allows a remote attacker to write attacker-controlled data past the bounds of the pubkey_raw buffer via a crafted oversized EC public key point. The WOLFSSL_KCAPI_ECC code path copies the input to key->pubkey_raw (132 bytes) using XMEMCPY without a bounds check, unlike the ATECC code path which includes a length validation. This can be triggered during TLS key exchange when a malicious peer sends a crafted ECPoint in ServerKeyExchange.

EPSS 0.14% · 34.4th percentile

Risk Scores

CVSS v4.0

1.2999999523162842

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/AU:Y/R:U/V:D/RE:L/U:Amber

EPSS Score

0.14%

34.4th percentile

Affected Products

Vendor	Product	Versions
wolfssl	wolfssl	0, 0, 0
wolfSSL	wolfssl	0, 0, 0

Timeline

Mar 19, 2026 CVE Published
Mar 19, 2026 PoC Published
Mar 20, 2026 EPSS Score
Mar 20, 2026 Coalition ESS Score
Mar 20, 2026 CVE Updated
Mar 21, 2026 EPSS Score
Mar 21, 2026 Coalition ESS Score
Mar 22, 2026 EPSS Score
Mar 23, 2026 EPSS Score
Mar 24, 2026 EPSS Score
Mar 25, 2026 EPSS Score
Mar 29, 2026 Security Advisory

References

https://github.com/wolfSSL/wolfssl/pull/9988 patch
https://nvd.nist.gov/vuln/detail/CVE-2026-4395 advisory

Open in Interactive Console →