{"id":"CVE-2022-23408","details":"wolfSSL 5.x before 5.1.1 uses non-random IV values in certain situations. This affects connections (without AEAD) using AES-CBC or DES3 with TLS 1.1 or 1.2 or DTLS 1.1 or 1.2. This occurs because of misplaced memory initialization in BuildMessage in internal.c.","modified":"2026-05-18T22:14:54.738170Z","published":"2022-01-18T20:20:15Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/23xxx/CVE-2022-23408.json","cna_assigner":"mitre"},"references":[{"type":"WEB","url":"https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md#wolfssl-release-511-jan-3rd-2022"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/23xxx/CVE-2022-23408.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23408"},{"type":"FIX","url":"https://github.com/wolfSSL/wolfssl/pull/4710"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wolfssl/wolfssl","events":[{"introduced":"7e01af012157bc20c840011a018619915380f05c"},{"fixed":"c3513bf2573c30f6d2df815de216120e92142020"}]}],"versions":["WCv5.0-RC12","WCv5.0-RC11","WCv5.0-RC10","v5.1.0-stable","v5.0.0-stable"],"database_specific":{"vanir_signatures_modified":"2026-05-18T22:14:54Z","vanir_signatures":[{"signature_version":"v1","target":{"file":"wolfssl/wolfcrypt/types.h"},"signature_type":"Line","id":"CVE-2022-23408-70232f27","digest":{"line_hashes":["200590224686773621064818426051680514278","73842892001327371820861045504044856872","180370452298823710791418685500416112741","232453673344828506816027349836980723411"],"threshold":0.9},"deprecated":false,"source":"https://github.com/wolfssl/wolfssl/commit/c3513bf2573c30f6d2df815de216120e92142020"}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-23408.json"}}],"schema_version":"1.7.5"}