<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
	<channel>
		<title><![CDATA[wolfSSL - Embedded SSL Library — wolfSSL 5.9.2 release blog]]></title>
		<link>https://www.wolfssl.com/forums/topic2534-wolfssl-592-release-blog.html</link>
		<atom:link href="https://www.wolfssl.com/forums/feed-rss-topic2534.xml" rel="self" type="application/rss+xml" />
		<description><![CDATA[The most recent posts in wolfSSL 5.9.2 release blog.]]></description>
		<lastBuildDate>Mon, 29 Jun 2026 21:12:42 +0000</lastBuildDate>
		<generator>PunBB</generator>
		<item>
			<title><![CDATA[wolfSSL 5.9.2 release blog]]></title>
			<link>https://www.wolfssl.com/forums/post8841.html#p8841</link>
			<description><![CDATA[<p><a href="https://github.com/wolfSSL/wolfssl/releases/tag/v5.9.2-stable">wolfSSL 5.9.2</a> has been released with a broad range of new features and enhancements around Post-Quantum Cryptography, crypto callback support, our Rust wrapper, and embedded hardware support. Similar to <a href="https://www.wolfssl.com/wolfssl-5-9-1-release-blog/">wolfSSL 5.9.1</a>, a large number of CVEs are addressed in this release, along with general bug fixes. Additionally, there are some security hardening behavior changes we want to note.</p><p><span class="bbu"><strong>Vulnerabilities</strong></span><br />This release addressed 32 CVEs in total, which is in line with the <a href="https://www.wolfssl.com/why-is-wolfssl-reporting-so-many-cves/">previously discussed trend</a> of AI-driven CVE reporting. While this is an increase in absolute number over the previous release, it is important to note a few points:<br /></p><ul><li><p>The number of [High] and [Critical] CVEs actually decreased.</p></li></ul><ul><li><p>The time between releases 5.9.2 and 5.9.1 (~ 2 months) was larger than between 5.9.1 and 5.9.0 (&lt; 1 month).</p></li></ul><ul><li><p>The [High] CVEs this release were more narrow in scope, constrained mainly to specific OpenSSL compatibility API, or features that are disabled by default.</p></li></ul><p>Use cases that are affected by [High] severity CVEs are: X509 verification with –enable-opensslextra with the API X509_verify_cert(), DTLS 1.3, the Renesas TSIP TLS port (WOLFSSL_RENESAS_TSIP_TLS) with TLS 1.3, X509 chain validation with Raw Public Key support (HAVE_RPK), and the OpenSSL compatibility API PKCS7_verify().</p><p>We would like to thank the many researchers from teams at NVIDIA Project Vanessa, Anthropic, UC Berkeley Sky Lab, as well as all the many independent contributors who responsibly disclosed these vulnerabilities.</p><p>See our <a href="https://www.wolfssl.com/docs/security-vulnerabilities/">wolfSSL Vulnerability</a> page for the full list.</p><p><span class="bbu"><strong>New Features</strong></span><br /></p><ul><li><p><a href="https://github.com/wolfSSL/wolfssl/pull/10066">wolfCrypt SRAM PUF</a> (Physically Unclonable Function) support, deriving device-unique keys from SRAM power-on state using a BCH fuzzy extractor and HKDF (wc_PufInit, wc_PufEnroll, wc_PufReconstruct).</p></li></ul><ul><li><p><a href="https://github.com/wolfSSL/wolfssl/pull/10009">wolfCrypt SHE</a> (Secure Hardware Extension) support for the <a href="https://www.autosar.org/fileadmin/standards/R21-11/FO/AUTOSAR_TR_SecureHardwareExtensions.pdf">SHE key management standard</a>.</p></li></ul><p><span class="bbu"><strong>Security Hardening / Behavior changes</strong></span><br /></p><ul><li><p>FIPS 205 SLH-DSA: The SLH-DSA sign/verify hash APIs <a href="https://github.com/wolfSSL/wolfssl/pull/10450">now take a pre-hashed message digest</a> instead of a raw message (callers must now hash the message before invoking these APIs). This brings SLH-DSA’s behavior in line with ML-DSA’s wc_dilithium_{sign,verify}_ctx_hash API, as well as NIST’s ACVP signature interface.</p></li></ul><ul><li><p>FIPS 204 ML-DSA: We <a href="https://github.com/wolfSSL/wolfssl/pull/10436">renamed</a> the post-quantum signature implementation from its pre-standardization name Dilithium to its NIST-standardized name ML-DSA (mirroring the earlier Kyber to ML-KEM rename). The header wolfssl/wolfcrypt/dilithium.h remains for now as a temporary compatibility shim.</p></li></ul><ul><li><p>Our CmacVerify APIs <a href="https://github.com/wolfSSL/wolfssl/pull/10462">were hardened</a> to more closely conform to <a href="https://csrc.nist.gov/pubs/sp/800/38/b/upd1/final">NIST SP 800-38B</a> MAC length guidance, and these verify functions will now correctly enforce bounds on tag length checks.</p></li></ul><ul><li><p><a href="https://github.com/wolfSSL/wolfssl/pull/10595">RSA-PSS decoding was hardened</a> to better conform to RFC 8017 A.2.3 guidance on trailer bits.</p></li></ul><p><span class="bbu"><strong>Crypto Callbacks</strong></span><br /></p><ul><li><p>Added <a href="https://github.com/wolfSSL/wolfssl/pull/9851">WOLF_CRYPTO_CB_SETKEY and WOLF_CRYPTO_CB_EXPORT_KEY</a> generic crypto callback utilities.</p></li></ul><ul><li><p>Added <a href="https://github.com/wolfSSL/wolfssl/pull/10351">wc_swdev</a>, a software CryptoCb device used by our test programs to exercise WOLF_CRYPTO_CB_ONLY_* builds.</p></li></ul><ul><li><p>Added <a href="https://github.com/wolfSSL/wolfssl/pull/10550">WOLF_CRYPTO_CB_ONLY_SHA512</a> support.</p></li></ul><ul><li><p>Added CryptoCb support for <a href="https://github.com/wolfSSL/wolfssl/pull/10466">SLH-DSA</a>.</p></li></ul><ul><li><p>Added <a href="https://github.com/wolfSSL/wolfssl/pull/10380">crypto callback support</a> for LMS and XMSS (crucial to their stateful management!).</p></li></ul><ul><li><p>Added support for <a href="https://github.com/wolfSSL/wolfssl/pull/10246">zeroizing AES session keys</a> in TLS 1.3 with WOLF_CRYPTO_CB_AES_SETKEY.</p></li></ul><p><span class="bbu"><strong>Post Quantum Cryptography</strong></span><br /></p><ul><li><p>Added <a href="https://github.com/wolfSSL/wolfssl/pull/9843">SHA-512 DRBG and FIPS module-boundary wrappers</a> for ML-KEM, ML-DSA, LMS, XMSS, and SLH-DSA as part of the upcoming post-quantum FIPS submission.</p></li></ul><ul><li><p>Added <a href="https://github.com/wolfSSL/wolfssl/pull/10572">support for RFC 9802</a> LMSS / XMSS in X.509 certificate and CSR generation.</p></li></ul><ul><li><p>Added <a href="https://github.com/wolfSSL/wolfssl/pull/10077">ML-KEM support for PKCS11</a>.</p></li></ul><p><span class="bbu"><strong>Hardware and Embedded Ports</strong></span><br /></p><ul><li><p>Added <a href="https://github.com/wolfSSL/wolfssl/pull/10278">NXP LPC55S69 hardware crypto</a> support.</p></li></ul><ul><li><p>Added <a href="https://github.com/wolfSSL/wolfssl/pull/10361">STM32U3 hardware crypto</a> support.</p></li></ul><ul><li><p>Added <a href="https://github.com/wolfSSL/wolfssl/pull/10268">Zephyr 4.3 default TLS-socket</a> support.</p></li></ul><p><span class="bbu"><strong>Rust Wrapper</strong></span><br /></p><ul><li><p>Added Rust crate trait implementations for: <a href="https://github.com/wolfSSL/wolfssl/pull/10070">rand_core, aead, and cipher, digest and signature</a>, and <a href="https://github.com/wolfSSL/wolfssl/pull/10305">password-hash, kem, and mac</a>.</p></li></ul><ul><li><p>Added <a href="https://github.com/wolfSSL/wolfssl/pull/10556">scrypt KDF and RSA-OAEP</a>support.</p></li></ul><p><span class="bbu"><strong>Pruning / Cleanup</strong></span><br /></p><ul><li><p>The liboqs integrations for ML-KEM and ML-DSA <a href="https://github.com/wolfssl/wolfssl/pull/10293">were removed</a>.</p></li></ul><ul><li><p>The liboqs SPHINCS+ implementation <a href="https://github.com/wolfSSL/wolfssl/pull/10261">was replaced</a> with our own SLH-DSA.</p></li></ul><ul><li><p>The external liblms / libxmss integrations <a href="https://github.com/wolfSSL/wolfssl/pull/10292">were removed</a> (we’ve had our own <a href="https://www.wolfssl.com/wolfcrypt-implementations-of-lms-hss-and-xmss-xmssmt-signatures-build-options-and-benchmarks-intel-x86/">more performant</a> implementations for a while).</p></li></ul><p>If you have questions about any of the above, please contact us at <a href="mailto:facts@wolfssl.com">facts@wolfssl.com</a> or call us at +1 425 245 8247.</p><p><strong><a href="https://www.wolfssl.com/download/">Download</a> wolfSSL Now</strong></p>]]></description>
			<author><![CDATA[null@example.com (shizuka)]]></author>
			<pubDate>Mon, 29 Jun 2026 21:12:42 +0000</pubDate>
			<guid>https://www.wolfssl.com/forums/post8841.html#p8841</guid>
		</item>
	</channel>
</rss>
