wolfSSL has disclosed a high-severity vulnerability in its embedded TLS library that undermines the authentication guarantees of AES-GCM when data streams exceed 64 GiB. Tracked as CVE-2026-55967 and published on June 25, 2026, the bug affects all wolfSSL releases from version 4.8.0 through 5.9.1, allowing attackers to forge authenticated data or corrupt encrypted communications without detection.

The flaw sits in the library’s AES-GCM streaming API, which is widely used in resource-constrained devices and applications that need to encrypt lengthy payloads piece by piece. Instead of enforcing the cryptographic limit that caps a single GCM-encrypted message at roughly 68.7 billion bytes, the streaming implementation silently accepted oversized input. That lapse means any application using wolfSSL’s wc_AesGcmEncrypt or Decrypt functions in streaming mode can be tricked into processing a message whose authentication tag no longer offers the security guarantees of AES-GCM.

A ubiquitous library under the radar

wolfSSL may not be a household name, but it powers secure communications in millions of embedded systems, from automotive ECUs and medical devices to home routers and Windows IoT Core appliances. Because it places a low memory footprint and liberal licensing at the center of its design, the library has become the go-to choice for developers who need a lightweight TLS 1.3 stack. Microsoft itself ships wolfSSL components inside Azure RTOS and Azure Sphere, meaning a large subset of Windows-adjacent edge devices could be running the vulnerable code.

“When you encrypt a stream that exceeds the NIST-mandated maximum plaintext length, the counter block wraps, and the keystream repeats,” said Larry Stefonic, CEO of wolfSSL Inc., in a statement accompanying the advisory. “In AES-GCM, that breaks both confidentiality and authenticity – the very properties the algorithm is meant to provide.”

AES-GCM’s fine print

AES-GCM (Galois/Counter Mode) combines the AES block cipher in counter mode with a polynomial-based authentication tag. Internally, it derives a keystream from a 96-bit IV and a secret key, XORing it with the plaintext to produce ciphertext. A separate GHASH function computes an authentication tag that protects the integrity of the ciphertext and any associated data (AAD).

The standard, defined in NIST SP 800-38D, limits the total plaintext that can be processed with a single key/IV pair to 2^39 – 256 bits. That figure works out to exactly 68,719,476,480 bytes – the well-known 64 GiB boundary. Exceeding that limit forces the internal 32-bit counter to overflow, which causes keystream blocks to repeat. When keystream repeats, an attacker can XOR two ciphertext blocks to cancel the keystream and obtain the XOR of the corresponding plaintexts, undermining confidentiality. More critically for authentication, the repeated keystream disrupts the GHASH computation, allowing a chosen-forgery attack on the tag.

wolfSSL’s single-shot (non-streaming) AES-GCM API already enforced the limit, returning BUFFER_E if a caller tried to encrypt or decrypt a buffer longer than WOLFSSL_AES_GCM_MAX_PLAINTEXT. The streaming API, introduced in version 4.8.0, was meant to respect the same boundary. But a missing sanity check in the internal AesGcmStreamProcess routine meant that the cumulative length of all chunks pushed through the stream was never compared against the cap.

Real-world impact

Applications that pass large files through TLS, such as firmware update daemons, backup services, or VPN tunnels that use DTLS with wolfSSL, are most exposed. An attacker who can convince a server or client to decrypt a crafted stream of more than 64 GiB – for example, by sending a maliciously padded transfer-encoding stream over HTTPS – can break the connection’s authenticity.

The practical exploitation scenario depends on how wolfSSL is wired into the system. In a TLS 1.3 session, the record layer can fragment messages, but the overall content of a single “message” (such as a huge HTTP response body) is not bounded by the library. If an application uses wolfSSL’s streaming interface to feed the record plaintext directly, it could hit the limit during a long-lived download. Microcontrollers running TLS might be less likely to process 64 GiB of data due to memory constraints, but gateways or cloud-connected edge servers certainly can.

Worse, the vulnerability does not require the attacker to know the encryption key; merely causing the victim to stream over 64 GiB of attacker-controlled data through a decryption pipeline is enough to invalidate the authentication check. Once authentication is broken, the attacker can inject forged plaintext into the stream or manipulate already-encrypted blocks.

Discovering the bug

Credit for finding CVE-2026-55967 goes to the red team at a major semiconductor vendor during a routine audit of TLS libraries used in automotive SoCs. Their engineers noticed that while wolfSSL’s documentation warned about the 64 GiB limit, the streaming example code contained no guard against oversize input. A follow-up code review confirmed that neither AesGcmStreamInit nor the subsequent Update calls tracked the accumulated size.

wolfSSL’s development team acknowledged the oversight and issued a patch within 48 hours of receiving the report. The fix adds an accumulator variable to the AesGcmStream structure and checks it against MAX_PLAINTEXT before each chunk is processed. If the total would exceed the bound, the API now returns AES_GCM_OVERFLOW_E.

Affected versions and patch availability

The CVE advisory lists all wolfSSL versions from 4.8.0 (the first release that included the streaming API) through 5.9.1 as vulnerable. Version 5.9.2, released on June 25, 2026, contains the fix. Users who compile wolfSSL from source can apply the patch directly by pulling the latest commit from the master branch on GitHub. Binary distributions for Windows, including the vcpkg and Conan packages, have been updated.

Organizations that cannot immediately upgrade should implement an application-level limiter: any data stream that will exceed 64 GiB must be broken into separate messages, each initialized with a fresh IV. wolfSSL also provides a compile-time option --disable-aesgcm-stream that removes the streaming API entirely, forcing all AES-GCM operations through the safe single-shot path.

Security community response

The publication of CVE-2026-55967 has sparked renewed debate in the embedded security community about the dangers of streaming cryptographic APIs. “Streaming interfaces always look convenient until you realize they hide state that needs careful management,” commented one developer on the wolfSSL forums. “This isn’t the first library to trip over GCM’s limits, and it won’t be the last.”

Microsoft’s security team is evaluating the impact on Azure Sphere and other products that embed wolfSSL. A spokesperson for the company indicated that patches for affected Microsoft offerings will be distributed through standard update channels within the next week. Windows users who deploy third-party software that links statically against wolfSSL should check with the software vendor for an updated build.

How to detect vulnerable systems

Developers can scan their source trees for calls to wc_AesGcmEncrypt or Decrypt where the WC_AES_GCM_STREAM flag is set and verify the wolfSSL version string. The command strings libwolfssl.so | grep "wolfSSL " returns the version on Linux; on Windows, checking the properties of wolfssl.dll provides the same information. Any version from 4.8.0 to 5.9.1 inclusive is at risk.

For systems already in the field, network monitoring can offer a weak signal. An unusually long TLS session transferring more than 64 GiB in a single direction without a key update might indicate an attempt to exploit the flaw, though normal large file transfers can also trigger this heuristic. The definitive mitigation is updating the library.

The bigger picture

CVE-2026-55967 is a reminder that even well-vetted cryptographic libraries can contain subtle protocol-level flaws. AES-GCM’s limits are clearly documented, but they rely on the developer to enforce them – a design choice that has led to similar bugs in OpenSSL, BoringSSL, and mbed TLS over the years. wolfSSL’s swift patch and transparent disclosure are commendable, but the incident underscores the need for automated testing that pushes streaming APIs past their nominal boundaries.

For Windows enthusiasts and IT administrators, the takeaway is clear: inventory every embedded device and application that might depend on wolfSSL, particularly those in IoT gateways, industrial controllers, or secure enclaves. The library’s small footprint makes it easy to overlook during asset discovery, yet its cryptographic role is foundational. Applying the 5.9.2 update closes a gap that could otherwise be used to dismantle the trust placed in encrypted links.