CVE-2025-11931 - Integer Underflow in XChaCha20-Poly1305 Decrypt Leads to Out-of-Bounds Access

A new vulnerability, CVE-2025-11931, has been discovered in the implementation of XChaCha20-Poly1305 in several open-source cryptographic libraries. This bug specifically affects direct uses of the function wc_XChaCha20Poly1305_Decrypt() (WolfSSL), not standard TLS connections. When exploited, an attacker can trigger an integer underflow, resulting in an out-of-bounds memory access.

In this post, we’ll break down how this vulnerability occurs, illustrate the issue with code snippets, and provide you with steps to check if you’re affected. We’ll also discuss the potential impact, and link to references and fixes.

What Is XChaCha20-Poly1305?

XChaCha20-Poly1305 is a widely used authenticated encryption algorithm offering nonce-misuse resistance. It’s commonly enforced in secure messaging, file encryption, and some network protocols, thanks to its speed and robust security properties.

However, any flaw in its implementation can severely undermine the security of applications using it.

Where Does The Vulnerability Lie?

The problem is with the function wc_XChaCha20Poly1305_Decrypt() in wolfSSL. This function is meant to decrypt data encrypted with XChaCha20-Poly1305, validating the authenticity in the process. Importantly, this code is not used in standard TLS connections—only in explicit application calls.

Vulnerable Function Signature

int wc_XChaCha20Poly1305_Decrypt(
    const unsigned char *key, unsigned int keySz,
    const unsigned char *nonce, unsigned int nonceSz,
    const unsigned char *aad, unsigned int aadSz,
    const unsigned char *cipherText, unsigned int ctSz,
    unsigned char *plainText, const unsigned char *authTag,
    unsigned int authTagSz)

The Integer Underflow

This function checks the ciphertext size (ctSz) against the expected authentication tag size (authTagSz). The critical bug arises in the calculation where the code subtracts authTagSz from ctSz without proper bounds checking.

This means if ctSz is less than authTagSz (accidentally or intentionally), the subtraction underflows—wrapping around the integer back to a very large number. When the function then attempts to access memory based on this negative value, you can end up reading or writing out-of-bounds.

Code Example (Vulnerable Snippet)

// Remove authTagSz from the ciphertext length
unsigned int msg_len = ctSz - authTagSz;
memcpy(plainText, cipherText, msg_len); // Oops!

If ctSz < authTagSz, msg_len will underflow to a large positive number, making the subsequent memcpy massively out-of-bounds.

Information Disclosure: Sensitive data from memory could be leaked.

- Crashes/Denial of Service: Maliciously crafted inputs can crash the server or application using this function.
- Remote Code Execution (Theoretical): If out-of-bounds writes are possible, code execution could be possible, but this would require more favorable conditions.

How Could Someone Exploit This?

An attacker can call the vulnerable function directly (not via TLS), passing in small ciphertexts and larger-than-normal tag sizes, or vice versa, triggering the bug.

Toy Example (Pseudo-Exploit)

unsigned char fakeKey[32];
unsigned char fakeNonce[24];
unsigned char fakeAAD[12];
unsigned char tinyCipherText[8];
unsigned char authTag[16];
unsigned char plainTextOutput[64];

// Attacker-supplied: ctSz < authTagSz
wc_XChaCha20Poly1305_Decrypt(
    fakeKey, 32,
    fakeNonce, 24,
    fakeAAD, 12,
    tinyCipherText, 8,
    plainTextOutput, authTag, 16
);

This will result in a massive out-of-bounds memcpy().

You might be at risk if

- Your app or service uses XChaCha20-Poly1305 via direct API calls (e.g., file encryption, custom protocol).

Fix And Mitigation

wolfSSL and likely other libraries are pushing fixes that correctly validate input sizes before subtracting.

Example Fix

if (ctSz < authTagSz)
    return BAD_INPUT_ERROR;
unsigned int msg_len = ctSz - authTagSz;
memcpy(plainText, cipherText, msg_len);

Update your library!
- wolfSSL Security Advisories

More Information

- wolfSSL CVE-2025-11931 Advisory (official)
- Project Issue Tracker: GitHub wolfSSL
- NIST NVD Entry for CVE-2025-11931

Conclusion

While not as headline-grabbing as remote exploits, integer underflow bugs like CVE-2025-11931 are subtle and dangerous—especially in cryptography. If you use XChaCha20-Poly1305 via direct calls, review your implementation and update immediately. Always validate your parameters and keep your dependencies up to date.

References

- https://www.wolfssl.com/docs/security-vulnerabilities/
- https://nvd.nist.gov/vuln/detail/CVE-2025-11931
- https://github.com/wolfSSL/wolfssl/issues

Credit: Research by diligent open source contributors!


*If you found this useful, share with your development and security teams to make sure your software is protected.*

Timeline

Published on: 11/21/2025 23:15:43 UTC
Last modified on: 12/04/2025 16:21:09 UTC