Vulnerability Description
Missing SNI/ALPN binding on stateful (session-ID) resumption, which previously skipped the binding check performed for ticket-based resumption. A cached session could be resumed under a different SNI/ALPN than originally negotiated and, where client-authentication policy differs across virtual hosts, carry the cached peer-authentication state into a context it was not established for. Resumption now verifies the SNI/ALPN binding for all paths and declines (falling back to a full handshake) on mismatch.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wolfssl | Wolfssl | >= 3.15.0, < 5.9.2 |
Related Weaknesses (CWE)
References
- https://github.com/wolfSSL/wolfssl/pull/10489Issue TrackingPatch
- https://www.wolfssl.com/docs/security-vulnerabilities/Vendor Advisory
FAQ
What is CVE-2026-11703?
CVE-2026-11703 is a vulnerability with a CVSS score of 7.5 (HIGH). Missing SNI/ALPN binding on stateful (session-ID) resumption, which previously skipped the binding check performed for ticket-based resumption. A cached session could be resumed under a different SNI/...
How severe is CVE-2026-11703?
CVE-2026-11703 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-11703?
Check the references section above for vendor advisories and patch information. Affected products include: Wolfssl Wolfssl.