CVE-2025-11935
HIGHDescription
With TLS 1.3 pre-shared key (PSK) a malicious or faulty server could ignore the request for PFS (perfect forward secrecy) and the client would continue on with the connection using PSK without PFS. This happened when a server responded to a ClientHello containing psk_dhe_ke without a key_share extension. The re-use of an authenticated PSK connection that on the clients side unexpectedly did not have PFS, reduces the security of the connection.
Is your site exposed to CVE-2025-11935?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| wolfssl | wolfssl |
| apple | macos |
| linux | linux_kernel |
References
Advisories & Patches
Other References
Frequently Asked Questions
What is CVE-2025-11935? +
How severe is CVE-2025-11935? +
What products are affected by CVE-2025-11935? +
How do I check if I'm vulnerable to CVE-2025-11935? +
Related Vulnerabilities
A vulnerability exists in Algo Edge up to 2.1.1 - a previously used (legacy) component of navify® Algorithm Suite. The …
The use of a weak cryptographic key pair in the signature verification process in WPS Office (Kingsoft) on Windows allows …
Programs/P73_SimplePythonEncryption.py illustrates a simple Python encryption example using the RSA Algorithm. In versions prior to commit 6ce60b1, an attacker may …
Inadequate Encryption Strength vulnerability allow an authenticated attacker to execute arbitrary OS Commands via encrypted package upload.This issue affects Envoy: …
Note Mark is an open-source note-taking application. Prior to 0.19.4, no minimum length or entropy is enforced on the JWT_SECRET …
Non-Compliant TLS Configuration.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 .