CVE-2023-6936

Published: 20 February 2024

In wolfSSL prior to 5.6.6, if callback functions are enabled (via the WOLFSSL_CALLBACKS flag), then a malicious TLS client or network attacker can trigger a buffer over-read on the heap of 5 bytes (WOLFSSL_CALLBACKS is only intended for debugging).

Priority

Status

Package	Release	Status
wolfssl Launchpad, Ubuntu, Debian	bionic	Needs triage
	focal	Needs triage
	jammy	Needs triage
	lunar	Ignored (end of life, was needs-triage)
	mantic	Needs triage
	noble	Not vulnerable (5.6.6-1.2)
	trusty	Ignored (end of standard support)
	upstream	Released (5.6.6-1.2)
	xenial	Needs triage

References

https://github.com/wolfSSL/wolfssl/blob/v5.6.6-stable/ChangeLog.md#vulnerabilities
https://www.cve.org/CVERecord?id=CVE-2023-6936
NVD
Launchpad
Debian

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059357

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›