Wolfssl · Wolfssl · CVE-2026-5460
**Name of the Vulnerable Software and Affected Versions**
wolfSSL (affected versions not specified)
**Description**
A heap use-after-free issue exists in wolfSSL's TLS 1.3 post-quantum cryptography (PQC) hybrid KeyShare processing. Specifically, within the `TLSX KeyShare ProcessPqcHybridClient()` function in src/tls.c, an error handling path incorrectly frees a KyberKey object. Subsequently, the `TLSX KeyShare FreeAll()` function attempts to zero out the already-freed KyberKey using `ForceZero()`, leading to a write to freed heap memory.
**Recommendations**
At the moment, there is no information about a newer version that contains a fix for this vulnerability.