CVE-2025-11936 MEDIUM

CVE-2025-11936: Potential DoS Vulnerability through Multiple KeyShareEntry with Same Group in TLS 1.3 ClientHello

Vendor Wolfssl
Product wolfSSL
Weakness CWE-20 · Input validation
Published November 21, 2025
Last update December 8, 2025

CVSS base score

6.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L

What the vulnerability does

01Description

Improper input validation in the TLS 1.3 KeyShareEntry parsing in wolfSSL v5.8.2 on multiple platforms allows a remote unauthenticated attacker to cause a denial-of-service by sending a crafted ClientHello message containing duplicate KeyShareEntry values for the same supported group, leading to excessive CPU and memory consumption during ClientHello processing.

Key dates

02Disclosure timeline

November 21, 2025 CVE published
December 8, 2025 Record updated