Session Resumption Vulnerability in wolfSSL Affects Secure Communication
CVE-2026-11703

6MEDIUM

Key Information:

Vendor: Wolfssl
Status: Wolfssl
Vendor: CVE Published:; 25 June 2026

What is CVE-2026-11703?

This vulnerability in the wolfSSL library occurs due to missing Server Name Indication (SNI) and Application-Layer Protocol Negotiation (ALPN) binding during the stateful session-ID resumption. Previously, when a session was resumed using a ticket, the binding check was skipped, allowing a cached session to be resumed under a different SNI/ALPN than originally established. This could lead to situations where a cached peer-authentication state was carried over into a context that it was not meant for, potentially breaching security between different virtual hosts. The latest updates introduce verification of the SNI/ALPN binding for all resumption paths, reverting to a full handshake procedure when mismatches occur, thereby enhancing protocol security.

Affected Version(s)

wolfSSL 3.15.0 <= 5.9.1

References

https://github.com/wolfSSL/wolfssl/pull/10489

patch

https://www.wolfssl.com/docs/security-vulnerabilities/

CVSS V4

Score:

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Jun 8, 2026

Credit

Dikai Zou

CVE-2026-11703 Data

JSON

Wolfssl

What is CVE-2026-11703?

Affected Version(s)

References

CVSS V4

Timeline

Credit