Johannes Wilson

**Name of the Vulnerable Software and Affected Versions** wolfSSL versions prior to 5.6.6 **Description** The issue arises from the failure to check that messages in one (D)TLS record do not span key boundaries, allowing the combination of (D)TLS messages using different keys into one (D)TLS record. In the most extreme case, in (D)TLS 1.3, an unencrypted (D)TLS 1.3 record from the server containing a ServerHello message and the rest of the first server flight could be accepted by a wolfSSL client. Although this does not compromise key negotiation and authentication, it poses a security risk. **Recommendations** For wolfSSL versions prior to 5.6.6, update to version 5.6.6 or later to resolve the issue. As a temporary workaround, consider restricting the use of (D)TLS 1.3 records to minimize the risk of exploitation. Avoid using unencrypted flights from the server in (D)TLS 1.3 until the issue is resolved.