new file mode 100644
@@ -0,0 +1,62 @@
+From 6d6d06c05f84b190c43c9b75c6fa11375d2be424 Mon Sep 17 00:00:00 2001
+From: Eric Blankenhorn <eric@wolfssl.com>
+Date: Tue, 31 Mar 2026 08:31:14 -0500
+Subject: [PATCH] Fix ARIA build issue and FIPS guard
+
+(cherry picked from commit 6495e8e94115f7f6beb67497e07bac5cba8dca9c)
+
+CVE: CVE-2026-5446
+Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/6495e8e94115f7f6beb67497e07bac5cba8dca9c]
+
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/internal.c | 21 ++++++++++++++++-----
+ 1 file changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/src/internal.c b/src/internal.c
+index 992c10d2c..fbf227a93 100644
+--- a/src/internal.c
++++ b/src/internal.c
+@@ -19023,7 +19023,9 @@ static int DoDtlsHandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx,
+ #if (!defined(NO_PUBLIC_GCM_SET_IV) && \
+ ((defined(HAVE_FIPS) || defined(HAVE_SELFTEST)) && \
+ (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)))) || \
+- (defined(HAVE_POLY1305) && defined(HAVE_CHACHA))
++ (defined(HAVE_POLY1305) && defined(HAVE_CHACHA)) || \
++ defined(HAVE_ARIA) || \
++ defined(WOLFSSL_SM4_GCM) || defined(WOLFSSL_SM4_CCM)
+ static WC_INLINE void AeadIncrementExpIV(WOLFSSL* ssl)
+ {
+ int i;
+@@ -20006,10 +20008,9 @@ static WC_INLINE int Encrypt(WOLFSSL* ssl, byte* out, const byte* input,
+ sizeof(ssl->encrypt.sanityCheck));
+ #endif
+
+- #if defined(BUILD_AESGCM) || defined(HAVE_AESCCM) || defined(HAVE_ARIA)
++ #if defined(BUILD_AESGCM) || defined(HAVE_AESCCM)
+ if (ssl->specs.bulk_cipher_algorithm == wolfssl_aes_ccm ||
+- ssl->specs.bulk_cipher_algorithm == wolfssl_aes_gcm ||
+- ssl->specs.bulk_cipher_algorithm == wolfssl_aria_gcm)
++ ssl->specs.bulk_cipher_algorithm == wolfssl_aes_gcm)
+ {
+ /* finalize authentication cipher */
+ #if !defined(NO_PUBLIC_GCM_SET_IV) && \
+@@ -20020,7 +20021,17 @@ static WC_INLINE int Encrypt(WOLFSSL* ssl, byte* out, const byte* input,
+ if (ssl->encrypt.nonce)
+ ForceZero(ssl->encrypt.nonce, AESGCM_NONCE_SZ);
+ }
+- #endif /* BUILD_AESGCM || HAVE_AESCCM || HAVE_ARIA */
++ #endif /* BUILD_AESGCM || HAVE_AESCCM */
++ #ifdef HAVE_ARIA
++ if (ssl->specs.bulk_cipher_algorithm == wolfssl_aria_gcm)
++ {
++ /* finalize authentication cipher — wc_AriaEncrypt is
++ * stateless, so the explicit IV must always advance */
++ AeadIncrementExpIV(ssl);
++ if (ssl->encrypt.nonce)
++ ForceZero(ssl->encrypt.nonce, AESGCM_NONCE_SZ);
++ }
++ #endif /* HAVE_ARIA */
+ #if defined(WOLFSSL_SM4_GCM) || defined(WOLFSSL_SM4_CCM)
+ if (ssl->specs.bulk_cipher_algorithm == wolfssl_sm4_ccm ||
+ ssl->specs.bulk_cipher_algorithm == wolfssl_sm4_gcm)
new file mode 100644
@@ -0,0 +1,27 @@
+From 88fc52b8e3bca58389a4a107a77f9dc52e3baa12 Mon Sep 17 00:00:00 2001
+From: Eric Blankenhorn <eric@wolfssl.com>
+Date: Tue, 31 Mar 2026 09:35:43 -0500
+Subject: [PATCH] Fix feedback from review
+
+(cherry picked from commit a3fad2af91da39e2a4bdaf528bcfb2a94c4dd67c)
+
+CVE: CVE-2026-5446
+Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/a3fad2af91da39e2a4bdaf528bcfb2a94c4dd67c]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/internal.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/internal.c b/src/internal.c
+index fbf227a93..ccfecc235 100644
+--- a/src/internal.c
++++ b/src/internal.c
+@@ -20025,7 +20025,7 @@ static WC_INLINE int Encrypt(WOLFSSL* ssl, byte* out, const byte* input,
+ #ifdef HAVE_ARIA
+ if (ssl->specs.bulk_cipher_algorithm == wolfssl_aria_gcm)
+ {
+- /* finalize authentication cipher — wc_AriaEncrypt is
++ /* finalize authentication cipher -- wc_AriaEncrypt is
+ * stateless, so the explicit IV must always advance */
+ AeadIncrementExpIV(ssl);
+ if (ssl->encrypt.nonce)
@@ -31,6 +31,8 @@ SRC_URI = " \
file://CVE-2026-3580.patch \
file://CVE-2026-5188.patch \
file://CVE-2026-5392.patch \
+ file://CVE-2026-5446-1.patch \
+ file://CVE-2026-5446-2.patch \
"
SRCREV = "b077c81eb635392e694ccedbab8b644297ec0285"