Vulnerability Description
Improper input validation in the TLS 1.3 CertificateVerify signature algorithm negotiation in wolfSSL 5.8.2 and earlier on multiple platforms allows for downgrading the signature algorithm used. For example when a client sends ECDSA P521 as the supported signature algorithm the server previously could respond as ECDSA P256 being the accepted signature algorithm and the connection would continue with using ECDSA P256, if the client supports ECDSA P256.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wolfssl | Wolfssl | >= 5.8.2, < 5.8.4 |
| Apple | Macos | - |
| Linux | Linux Kernel | - |
Related Weaknesses (CWE)
References
- https://github.com/wolfSSL/wolfsslProduct
- https://github.com/wolfSSL/wolfssl/pull/9113Issue TrackingPatch
- https://github.com/wolfSSL/wolfssl/pull/9113Issue TrackingPatch
FAQ
What is CVE-2025-11934?
CVE-2025-11934 is a vulnerability with a CVSS score of 2.7 (LOW). Improper input validation in the TLS 1.3 CertificateVerify signature algorithm negotiation in wolfSSL 5.8.2 and earlier on multiple platforms allows for downgrading the signature algorithm used. For e...
How severe is CVE-2025-11934?
CVE-2025-11934 has been rated LOW with a CVSS base score of 2.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-11934?
Check the references section above for vendor advisories and patch information. Affected products include: Wolfssl Wolfssl, Apple Macos, Linux Linux Kernel.