CVE-2026-3503 MEDIUM

CVE-2026-3503: Fault injection attack with ML-DSA and ML-KEM on ARM

Vendor Wolfssl Inc.
Product wolfSSL (wolfCrypt)
Weakness CWE-335
Published March 19, 2026
Last update March 19, 2026

CVSS base score

4.3/10
Attack vector Physical
Attack complexity High
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:P/AC:H/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N/U:Amber

What the vulnerability does

01Description

Protection mechanism failure in wolfCrypt post-quantum implementations (ML-KEM and ML-DSA) in wolfSSL on ARM Cortex-M microcontrollers allows a physical attacker to compromise key material and/or cryptographic outcomes via induced transient faults that corrupt or redirect seed/pointer values during Keccak-based expansion. This issue affects wolfSSL (wolfCrypt): commit hash d86575c766e6e67ef93545fa69c04d6eb49400c6.

Key dates

02Disclosure timeline

March 19, 2026 CVE published
March 19, 2026 Record updated