CVE-2026-3503 | THREATINT

Description

Protection mechanism failure in wolfCrypt post-quantum implementations (ML-KEM and ML-DSA) in wolfSSL on ARM Cortex-M microcontrollers allows a physical attacker to compromise key material and/or cryptographic outcomes via induced transient faults that corrupt or redirect seed/pointer values during Keccak-based expansion. This issue affects wolfSSL (wolfCrypt): commit hash d86575c766e6e67ef93545fa69c04d6eb49400c6.

PUBLISHED Reserved 2026-03-03 | Published 2026-03-19 | Updated 2026-03-19 | Assigner wolfSSL

MEDIUM: 4.3CVSS:4.0/AV:P/AC:H/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N/U:Amber

Problem types

CWE-335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

Product status

Default status

affected

5.8.2 (semver) before 5.9.0

affected

Credits

Hariprasad Kelassery Valsaraj of Temasek Laboratories finder

References

github.com/wolfSSL/wolfssl/pull/9734

cve.org (CVE-2026-3503)

nvd.nist.gov (CVE-2026-3503)

Download JSON