diff --git a/meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-5446-1.patch b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-5446-1.patch
new file mode 100644
index 0000000000..33823c2b9f
--- /dev/null
+++ b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-5446-1.patch
@@ -0,0 +1,62 @@
+From 6d6d06c05f84b190c43c9b75c6fa11375d2be424 Mon Sep 17 00:00:00 2001
+From: Eric Blankenhorn <eric@wolfssl.com>
+Date: Tue, 31 Mar 2026 08:31:14 -0500
+Subject: [PATCH] Fix ARIA build issue and FIPS guard
+
+(cherry picked from commit 6495e8e94115f7f6beb67497e07bac5cba8dca9c)
+
+CVE: CVE-2026-5446
+Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/6495e8e94115f7f6beb67497e07bac5cba8dca9c]
+
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/internal.c | 21 ++++++++++++++++-----
+ 1 file changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/src/internal.c b/src/internal.c
+index 992c10d2c..fbf227a93 100644
+--- a/src/internal.c
++++ b/src/internal.c
+@@ -19023,7 +19023,9 @@ static int DoDtlsHandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx,
+ #if (!defined(NO_PUBLIC_GCM_SET_IV) && \
+     ((defined(HAVE_FIPS) || defined(HAVE_SELFTEST)) && \
+     (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)))) || \
+-    (defined(HAVE_POLY1305) && defined(HAVE_CHACHA))
++    (defined(HAVE_POLY1305) && defined(HAVE_CHACHA)) || \
++    defined(HAVE_ARIA) || \
++    defined(WOLFSSL_SM4_GCM) || defined(WOLFSSL_SM4_CCM)
+ static WC_INLINE void AeadIncrementExpIV(WOLFSSL* ssl)
+ {
+     int i;
+@@ -20006,10 +20008,9 @@ static WC_INLINE int Encrypt(WOLFSSL* ssl, byte* out, const byte* input,
+                 sizeof(ssl->encrypt.sanityCheck));
+         #endif
+ 
+-        #if defined(BUILD_AESGCM) || defined(HAVE_AESCCM) || defined(HAVE_ARIA)
++        #if defined(BUILD_AESGCM) || defined(HAVE_AESCCM)
+             if (ssl->specs.bulk_cipher_algorithm == wolfssl_aes_ccm ||
+-                ssl->specs.bulk_cipher_algorithm == wolfssl_aes_gcm ||
+-                ssl->specs.bulk_cipher_algorithm == wolfssl_aria_gcm)
++                ssl->specs.bulk_cipher_algorithm == wolfssl_aes_gcm)
+             {
+                 /* finalize authentication cipher */
+ #if !defined(NO_PUBLIC_GCM_SET_IV) && \
+@@ -20020,7 +20021,17 @@ static WC_INLINE int Encrypt(WOLFSSL* ssl, byte* out, const byte* input,
+                 if (ssl->encrypt.nonce)
+                     ForceZero(ssl->encrypt.nonce, AESGCM_NONCE_SZ);
+             }
+-        #endif /* BUILD_AESGCM || HAVE_AESCCM || HAVE_ARIA */
++        #endif /* BUILD_AESGCM || HAVE_AESCCM */
++        #ifdef HAVE_ARIA
++            if (ssl->specs.bulk_cipher_algorithm == wolfssl_aria_gcm)
++            {
++                /* finalize authentication cipher — wc_AriaEncrypt is
++                 * stateless, so the explicit IV must always advance */
++                AeadIncrementExpIV(ssl);
++                if (ssl->encrypt.nonce)
++                    ForceZero(ssl->encrypt.nonce, AESGCM_NONCE_SZ);
++            }
++        #endif /* HAVE_ARIA */
+         #if defined(WOLFSSL_SM4_GCM) || defined(WOLFSSL_SM4_CCM)
+             if (ssl->specs.bulk_cipher_algorithm == wolfssl_sm4_ccm ||
+                 ssl->specs.bulk_cipher_algorithm == wolfssl_sm4_gcm)
diff --git a/meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-5446-2.patch b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-5446-2.patch
new file mode 100644
index 0000000000..9368ff3d0b
--- /dev/null
+++ b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-5446-2.patch
@@ -0,0 +1,27 @@
+From 88fc52b8e3bca58389a4a107a77f9dc52e3baa12 Mon Sep 17 00:00:00 2001
+From: Eric Blankenhorn <eric@wolfssl.com>
+Date: Tue, 31 Mar 2026 09:35:43 -0500
+Subject: [PATCH] Fix feedback from review
+
+(cherry picked from commit a3fad2af91da39e2a4bdaf528bcfb2a94c4dd67c)
+
+CVE: CVE-2026-5446
+Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/a3fad2af91da39e2a4bdaf528bcfb2a94c4dd67c]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/internal.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/internal.c b/src/internal.c
+index fbf227a93..ccfecc235 100644
+--- a/src/internal.c
++++ b/src/internal.c
+@@ -20025,7 +20025,7 @@ static WC_INLINE int Encrypt(WOLFSSL* ssl, byte* out, const byte* input,
+         #ifdef HAVE_ARIA
+             if (ssl->specs.bulk_cipher_algorithm == wolfssl_aria_gcm)
+             {
+-                /* finalize authentication cipher — wc_AriaEncrypt is
++                /* finalize authentication cipher -- wc_AriaEncrypt is
+                  * stateless, so the explicit IV must always advance */
+                 AeadIncrementExpIV(ssl);
+                 if (ssl->encrypt.nonce)
diff --git a/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.8.0.bb b/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.8.0.bb
index a2d184fd54..249880e161 100644
--- a/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.8.0.bb
+++ b/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.8.0.bb
@@ -41,6 +41,8 @@ SRC_URI = " \
     file://CVE-2026-3580.patch \
     file://CVE-2026-5188.patch \
     file://CVE-2026-5392.patch \
+    file://CVE-2026-5446-1.patch \
+    file://CVE-2026-5446-2.patch \
 "
 
 SRCREV = "b077c81eb635392e694ccedbab8b644297ec0285"