Cyber Resilience

CVE-2026-12340

Medium

Published: 25 June 2026

Published
25 June 2026
Modified
26 June 2026
KEV Added
Patch
CVSS Score v4 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0023 13.3th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-12340 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Wolfssl Wolfssl. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 13.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Out-of-bounds heap read during SM2/SM3 certificate signature verification. When parsing a certificate with an SM3wSM2 signature, the Subject Key Identifier computation reads the trailing 65 bytes of the public key without checking that the key is at least that long.…

more

A public key shorter than 65 bytes results in an out-of-bounds heap read, leading to a potential crash (denial of service); there is no out-of-bounds write. Note this only affects builds with SM2 support (--enable-sm2 or --enable-all).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

OOB read in certificate parsing directly enables application exploitation for DoS via crafted SM2/SM3 certs.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3547Same product: Wolfssl Wolfssl
CVE-2024-5991Same product: Wolfssl Wolfssl
CVE-2022-42905Same product: Wolfssl Wolfssl
CVE-2026-6094Same product: Wolfssl Wolfssl
CVE-2026-3849Same product: Wolfssl Wolfssl
CVE-2023-6936Same product: Wolfssl Wolfssl
CVE-2026-5503Same product: Wolfssl Wolfssl
CVE-2026-6330Same product: Wolfssl Wolfssl
CVE-2024-1544Same product: Wolfssl Wolfssl
CVE-2026-6678Same product: Wolfssl Wolfssl

Affected Assets

wolfssl
wolfssl
5.6.4 — 5.9.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References