wolfSSL 5.9.1 release blog

    • wolfSSL 5.9.1 is available with new features, post-quantum cryptography improvements, broad bug fixes, and a number of vulnerability fixes. Users are always recommended to stay up to date with wolfSSL releases. In this release, use cases that are affected by high severity reports are: PKCS7 with ORI callback set or AuthEnvelopedData with AES-GCM (–enable-pkcs7), ECDSA certificate verification with EdDSA or ML-DSA enabled, URI nameConstraints enforcement with intermediate CAs, X.509 certificate conversion via CertFromX509 with AuthorityKeyIdentifier, DTLS 1.3 (–enable-dtls13), ECH (–enable-ech), ECCSI signature verification (–enable-eccsi), AES-EAX/CMAC with large messages, and ChaCha20-Poly1305 via EVP or X509_verify_cert via the OpenSSL compatibility layer (–enable-opensslextra).

    Getting started with wolfSSL? Download the latest libraries here and start exploring.

    Security Vulnerabilities Addressed

    This release addresses 22 CVEs across critical, high, medium, and low severity levels. Notably, we have received many quality AI-assisted vulnerability reports this cycle. Thanks to all the researchers who responsibly disclosed issues, including teams from Anthropic, KENTECH, Calif.io, eWalker Consulting, and several independent contributors.

    For the full list of vulnerabilities addressed, visit the wolfSSL Vulnerability Page.

    Default Build Changes

    • ML-KEM (FIPS 203) enabled by default — Post-quantum key encapsulation is now on by default, making it easier than ever to adopt quantum-resistant cryptography.
    • ECC curve validation is now enabled unconditionally in default builds, removing the previous dependency on USE_ECC_B_PARAM.

    New Features

    • Brainpool curve support added to wolfSSL_CTX_set1_sigalgs_list for broader European cryptographic standard compatibility.
    • DTLS 1.3 / TLS 1.3 write-dup support — Duplicate SSL functionality allows read-side delegation of post-handshake tasks (KeyUpdate, ACK, post-handshake auth) to the write-side.

    Post-Quantum Cryptography Updates

    • The context-aware FIPS 204 ML-DSA (Dilithium) API is now the default, with the legacy non-context API gated behind WOLFSSL_DILITHIUM_NO_CTX.
    • Sensitive memory buffers in the ML-DSA implementation are now zeroized to prevent leakage of cryptographic material.
    • Private key validation checks added for Ed25519, Ed448, ML-DSA, and ML-KEM operations.
    • Buffer size and callback validation added to wc_LmsKey_Sign.
    • Fixed out-of-bounds shift and undefined behavior issues in ML-DSA and SLH-DSA implementations.

    TLS and DTLS Improvements

    • Fixed DTLS 1.3 ServerHello to comply with the specification by not echoing legacy_session_id.
    • Fixed TLS 1.3 server to correctly reject mismatched ciphersuites in second ClientHello after HelloRetryRequest.
    • Resolved multiple correctness issues in DTLS 1.3 and TLS 1.3 including missing bounds checks, PSK identity buffer overreads, and resource leaks.
    • HPKE implementation fixes and refactoring with tests for all 24 algorithm combination variants.

    Hardware and Embedded Ports

    • SE050 hardware security module integration fixes for RSA-PSS and persistent key slot management.
    • Broad correctness improvements across Espressif, Renesas, Silicon Labs, NXP, STM32, TI, Xilinx, and other hardware targets.
    • Fixed buffer overflows, key material exposure, mutex leaks, and logic errors across hardware crypto backends.

    Rust Wrapper

    • Released version 1.2.0 of the wolfssl-wolfcrypt Rust crate.
    • Updated build script to support cross-compiling and bare-metal targets including RISC-V architectures.

    Get the Update

    We recommend all wolfSSL users update to version 5.9.1. Dive into the full ChangeLog for a complete list of changes.

    Download wolfSSL 5.9.1

    If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.