CVE-2022-46393 — Out-of-bounds Read in ARM Mbed TLS

CWE-125 — Out-of-bounds Read CWE-787 — Out-of-bounds Write6 documents6 sources

Severity

9.8CRITICALNVD

EPSS

0.9%

top 24.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mbed Mbedtls ARM Mbed TLS Fedoraproject Fedora

Timeline

PublishedDec 15

Latest updateFeb 15

Description

An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0. There is a potential heap-based buffer overflow and heap-based buffer over-read in DTLS if MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and MBEDTLS_SSL_CID_IN_LEN_MAX > 2 * MBEDTLS_SSL_CID_OUT_LEN_MAX.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDarm/mbed_tls3.0.0 — 3.3.0+1

▶Debianmbed/mbedtls< 2.28.2-1+2

Also affects: Fedora 36, 37

🔴Vulnerability Details

GHSA

GHSA-pjwj-r3p9-jjrq: An issue was discovered in Mbed TLS before 2↗2022-12-16

▶

OSV

CVE-2022-46393: An issue was discovered in Mbed TLS before 2↗2022-12-15

▶

CVEList

CVE-2022-46393: An issue was discovered in Mbed TLS before 2↗2022-12-15

▶

📋Vendor Advisories

CISA ICS

Siemens SCALANCE XCM-/XRM-300↗2024-02-15

▶

Debian

CVE-2022-46393: mbedtls - An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0. There is...↗2022

▶