CVE-2023-6936: 
wolfSSL vulnerability analysis and mitigation

A malicious TLS client or network attacker can trigger a buffer over-read on the heap of 5 bytes when WOLFSSL_CALLBACKS is enabled in wolfSSL prior to version 5.6.6. This vulnerability is tracked as CVE-2023-6936 and was discovered in February 2024. The issue specifically affects the WOLFSSL_CALLBACKS functionality, which is only intended for debugging purposes (WolfSSL Security, NVD CVE).

The vulnerability is classified as a heap-based buffer over-read (CWE-125) that occurs when callback functions are enabled via the WOLFSSL_CALLBACKS flag. The issue has received varying CVSS severity ratings, with NVD assigning a CVSS 3.1 base score of 9.1 (CRITICAL) while wolfSSL Inc. rated it at 5.3 (MEDIUM). The vulnerability specifically manifests when processing TLS connections with the debugging callbacks enabled (NVD CVE).

The vulnerability allows an attacker to read 5 bytes beyond the intended buffer boundary on the heap when WOLFSSL_CALLBACKS is enabled. While the feature is intended only for debugging purposes, systems running with this option enabled in production environments could be vulnerable to information disclosure or potential system crashes (WolfSSL Security).

The vulnerability has been fixed in wolfSSL version 5.6.6. Users are recommended to either update to this version or later, or disable the WOLFSSL_CALLBACKS feature if it's not required. Since WOLFSSL_CALLBACKS is intended only for debugging purposes, it should not be enabled in production environments (WolfSSL Security, GitHub PR).