CVE-2026-5460

Name of the Vulnerable Software and Affected Versions wolfSSL (affected versions not specified)

Description A heap use-after-free issue exists in wolfSSL's TLS 1.3 post-quantum cryptography (PQC) hybrid KeyShare processing. Specifically, within the TLSX KeyShare ProcessPqcHybridClient() function in src/tls.c, an error handling path incorrectly frees a KyberKey object. Subsequently, the TLSX KeyShare FreeAll() function attempts to zero out the already-freed KyberKey using ForceZero(), leading to a write to freed heap memory.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.