CVE-2026-6092
Published: 25 June 2026
Summary
CVE-2026-6092 is a low-severity Algorithm Downgrade (CWE-757) vulnerability in Wolfssl Wolfssl. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Weaken Encryption (T1600); ranked at the 11.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-39573
Vulnerability details
When HAVE_ENCRYPT_THEN_MAC is configured, the implementation could fall back to MAC-then-Encrypt rather than enforcing Encrypt-then-MAC.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CWE-757 crypto negotiation flaw directly enables weakening of encryption (Encrypt-then-MAC enforcement failure).
CVEs Like This One
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.
Hardening callouts derived
Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).
Windows 10 (1 rule)
- V-220938 The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM. via CWE-757
Windows 11 (1 rule)
- V-253462 The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM. via CWE-757
Windows Server 2016 (1 rule)
- V-225054 The LAN Manager authentication level must be set to send NTLMv2 response only and to refuse LM and NTLM. via CWE-757
Windows Server 2019 (1 rule)
- V-205919 Windows Server 2019 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM. via CWE-757
Windows Server 2022 (1 rule)
- V-254475 Windows Server 2022 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM. via CWE-757