CVE-2026-5446
Published: 09 April 2026
Summary
CVE-2026-5446 is a medium-severity Reusing a Nonce, Key Pair in Encryption (CWE-323) vulnerability. Its CVSS base score is 6.0 (Medium).
Operationally, ranked at the 17.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SC-8 (Transmission Confidentiality and Integrity).
Deeper analysis
CVE-2026-5446 affects the wolfSSL cryptographic library, specifically ARIA-GCM cipher suites used in TLS 1.2 and DTLS 1.2. The vulnerability stems from reusing an identical 12-byte GCM nonce for every application-data record, as wc_AriaEncrypt is stateless and passes the caller-supplied IV verbatim to the proprietary MagicCrypto SDK without an internal counter. The explicit IV is zero-initialized at session setup and never incremented in non-FIPS builds. This issue is limited to wolfSSL builds configured with the non-default --enable-aria option and the MagicCrypto SDK, an opt-in setup required for Korean regulatory deployments. AES-GCM cipher suites are unaffected, as wc_AesGcmEncrypt_ex maintains an independent internal invocation counter.
Attackers positioned to observe encrypted TLS 1.2 or DTLS 1.2 traffic using vulnerable ARIA-GCM cipher suites could exploit the nonce reuse, associated with CWE-323 (Reused Initialization Vector), to potentially decrypt application data or forge records. Exploitation requires the target to be using the specific non-default wolfSSL configuration with MagicCrypto SDK.
Mitigation is provided through a patch in the wolfSSL GitHub pull request at https://github.com/wolfSSL/wolfssl/pull/10111. Security practitioners should update affected wolfSSL builds and avoid the --enable-aria configuration with MagicCrypto SDK unless required for regulatory compliance.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-21180
Vulnerability details
In wolfSSL, ARIA-GCM cipher suites used in TLS 1.2 and DTLS 1.2 reuse an identical 12-byte GCM nonce for every application-data record. Because wc_AriaEncrypt is stateless and passes the caller-supplied IV verbatim to the MagicCrypto SDK with no internal counter,…
more
and because the explicit IV is zero-initialized at session setup and never incremented in non-FIPS builds. This vulnerability affects wolfSSL builds configured with --enable-aria and the proprietary MagicCrypto SDK (a non-default, opt-in configuration required for Korean regulatory deployments). AES-GCM is not affected because wc_AesGcmEncrypt_ex maintains an internal invocation counter independently of the call-site guard.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Insufficient information to map techniques.CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires cryptographic mechanisms that protect the confidentiality and integrity of transmitted information, which the ARIA-GCM nonce reuse violates.
Mandates the use of approved cryptographic protection mechanisms for data in transit, which the stateless wc_AriaEncrypt implementation fails to provide.
Requires timely remediation of identified flaws, directly addressed by applying the wolfSSL patch that restores proper nonce handling.