CVE-2018-9989 — Out-of-bounds Read in ARM Mbed TLS

CWE-125 — Out-of-bounds Read5 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.4%

top 39.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mbed Mbedtls ARM Mbed TLS Debian Linux

Timeline

PublishedApr 10

Latest updateMay 13

Description

ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has a buffer over-read in ssl_parse_server_psk_hint() that could cause a crash on invalid input.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDarm/mbed_tls2.7.0 — 2.7.2+2

▶Debianmbed/mbedtls< 2.8.0-1+3

Also affects: Debian Linux 8.0, 9.0

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-w8m4-8r7x-cjvp: ARM mbed TLS before 2↗2022-05-13

▶

OSV

CVE-2018-9989: ARM mbed TLS before 2↗2018-04-10

▶

CVEList

CVE-2018-9989: ARM mbed TLS before 2↗2018-04-10

▶

📋Vendor Advisories

Debian

CVE-2018-9989: mbedtls - ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has a buffer over-rea...↗2018

▶