CVE-2025-11934

CVE Database · CVE-2025-11934

CVE-2025-11934

· LOWAnalyzed

CVSS v3.1

2.7

CVSS v4.0

2.1

EPSS

0.15%

Published

Nov 21, 2025

Modified

Dec 3, 2025

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Improper input validation in the TLS 1.3 CertificateVerify signature algorithm negotiation in wolfSSL 5.8.2 and earlier on multiple platforms allows for downgrading the signature algorithm used. For example when a client sends ECDSA P521 as the supported signature algorithm the server previously could respond as ECDSA P256 being the accepted signature algorithm and the connection would continue with using ECDSA P256, if the client supports ECDSA P256.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Weaknesses (CWE)

CWE-20

Affected Products (3)

wolfssl · wolfssl (up to 5.8.4)vulnerable

apple · macos

linux · linux_kernel

References (3)

https://github.com/wolfSSL/wolfssl

Product

https://github.com/wolfSSL/wolfssl/pull/9113

Issue TrackingPatch

https://github.com/wolfSSL/wolfssl/pull/9113

Issue TrackingPatch

KEV Catalog EPSS Scores Vendors All CVEs