GHSA-34qm-63x6-fcm3 · Severity: medium — wc_Blake2bHmacFinal and wc_Blake2sHmacFinal discard the message when the key length exceeds the...
wc_Blake2bHmacFinal and wc_Blake2sHmacFinal discard the message when the key length exceeds the block size, producing a MAC that is independent of the input. When the supplied key is longer than the BLAKE2 block size the key-hashing branch reinitialized the running hash state, discarding the accumulated message data, so the resulting MAC depended only on the key and not on the message being authenticated. This bug is specific to the HMAC-BLAKE2 APIs that were added in wolfSSL version 5.9.0.
Conclusion & alert: CVE-2026-8720 is rated Low Risk (23.8/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.09%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-26 | — | 0.09% | — |
Full EPSS history (1 record total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 5.9 | 4.0 | MEDIUM |
|
— | — | [email protected] |
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | [email protected] |
GHSA-34qm-63x6-fcm3 · Severity: medium — wc_Blake2bHmacFinal and wc_Blake2sHmacFinal discard the message when the key length exceeds the...
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2026-8720 not yet assigned priority: Debian including 1 source packages (wolfssl), 4 status rows across 4 suites (bookworm, bullseye, sid, trixie): open 3, resolved 1. | https://security-tracker.debian.org/tracker/CVE-2026-8720 |
ubuntu
|
medium | CVE-2026-8720 medium priority: Ubuntu including 1 source packages (wolfssl), 7 status rows across 7 suites (bionic, focal, jammy, noble, questing, resolute, upstream): needs-triage 7. | https://ubuntu.com/security/CVE-2026-8720 |
| URL | Tags |
|---|---|
| https://github.com/wolfSSL/wolfssl/pull/10447 | Issue Tracking Patch |
| https://www.wolfssl.com/docs/security-vulnerabilities/ | Vendor Advisory |