CVE-2026-5460 | THREATINT

Description

A heap use-after-free exists in wolfSSL's TLS 1.3 post-quantum cryptography (PQC) hybrid KeyShare processing. In the error handling path of TLSX_KeyShare_ProcessPqcHybridClient() in src/tls.c, the inner function TLSX_KeyShare_ProcessPqcClient_ex() frees a KyberKey object upon encountering an error. The caller then invokes TLSX_KeyShare_FreeAll(), which attempts to call ForceZero() on the already-freed KyberKey, resulting in writes of zero bytes over freed heap memory.

PUBLISHED Reserved 2026-04-02 | Published 2026-04-09 | Updated 2026-04-10 | Assigner wolfSSL

MEDIUM: 6.3CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-416 Use After Free

Product status

Default status

unaffected

Any version before 5.9.1

affected

Credits

Calvin Young (eWalker Consulting Inc.) finder

Enoch Chow (Isomorph Cyber) finder

References

github.com/wolfssl/wolfssl/pull/10092

cve.org (CVE-2026-5460)

nvd.nist.gov (CVE-2026-5460)

Download JSON