CVE-2026-11703 - wolfSSL TLS resumption SNI ALPN binding bypass
CVE-2026-11703 - wolfSSL TLS resumption SNI ALPN binding bypass - High - 2026-06-25
Business risk: Cached client-authentication state can cross virtual-host boundaries and bypass stricter authentication policy.
Root cause: Stateful session-ID resumption skipped the SNI/ALPN binding check that ticket-based resumption performed.
Affected versions
- Vulnerable: wolfSSL builds before the fix when stateful session-ID resumption is used across virtual hosts with different SNI/ALPN or client-auth policy.
- Fixed / safe target: Upgrade to a wolfSSL build containing PR 10489 or later and partition/validate session caches by SNI and ALPN.
- CVSS: 7.5 (High)
Exact vulnerable code pattern
wolfSSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER);
serve_tls_connection(shared_ctx, client);
Fixed / mitigated code pattern
set_session_cache_key(current_sni, current_alpn, client_auth_policy_id);
if (!session_binding_matches(session, current_sni, current_alpn)) {
wolfSSL_set_session(ssl, NULL);
}
Step-by-step integration guide
- Inventory wolfSSL packages, vendored source, submodules, and embedded SDKs.
- Upgrade to the vendor-fixed build and rebuild static consumers.
- Add protocol regression/fuzz coverage for the affected path.
- Deploy patched firmware/images and retire vulnerable artifacts.
- Document temporary network controls used during rollout.
Alternative mitigations
- Block untrusted traffic to affected protocol endpoints.
- Disable the affected protocol feature where possible.
- Run affected services with process sandboxing and rate limits.
Detection signature
rg -n "wolfSSL|WOLFSSL_VERSION|libwolfssl|DTLS|ALPN|SNI|X509" .
Copy-paste skill block
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
Remediate CVE-2026-11703: wolfSSL TLS resumption SNI ALPN binding bypass.
Required output:
- A reviewer-ready PR with dependency/config/code changes, tests, and deployment notes; or
- TRIAGE.md if the affected runtime is outside this repository.
Steps:
1. Confirm exposure using the detection signature above.
2. Apply the fixed or mitigated pattern.
3. Add or run a regression test for the exploit shape.
4. Record commands, versions, and residual risk in the PR body.
Boundaries:
- Scope only CVE-2026-11703 and directly related hardening.
- Do not run destructive exploit payloads against production.
- Preserve existing behavior except for the vulnerable path.
Tags and revenue routing
- Keywords: cve, wolfssl, tls, c, memory-safety, sellable_to_iot, zero_day_gold, high
- Affected tech stack: c/cpp
- Revenue tags: sellable_to_iot, zero_day_gold