CVE-2026-3849

Name of the Vulnerable Software and Affected Versions wolfSSL version 5.8.4

Description A flaw exists in wolfSSL 5.8.4’s Encrypted Client Hello (ECH) support. A specially crafted ECH configuration from a malicious TLS server can trigger a stack buffer overflow on the client side. This could potentially lead to remote code execution or a client program crash. ECH is disabled by default and requires explicit enabling. The vulnerable function is wc HpkeLabeledExtract.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.