CVE-2026-3849

Published: Mar 19, 2026

Modified: Mar 25, 2026

PUBLISHED

Description

Stack Buffer Overflow in wc_HpkeLabeledExtract via Oversized ECH Config. A vulnerability existed in wolfSSL 5.8.4 ECH (Encrypted Client Hello) support, where a maliciously crafted ECH config could cause a stack buffer overflow on the client side, leading to potential remote execution and client program crash. This could be exploited by a malicious TLS server supporting ECH. Note that ECH is off by default, and is only enabled with enable-ech.

Vendor	Product	Versions
wolfSSL Inc.	wolfSSL	affected `v5.6.0-stable - <= v5.8.4-stable`

Weaknesses (CWE)

CWE-787

References

https://github.com/wolfSSL/wolfssl/pull/9737

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-3849

Description

Affected Products

Weaknesses (CWE)

References