CVE-2024-45158Stack-based Buffer Overflow in ARM Mbed TLS

CWE-121Stack-based Buffer Overflow5 documents5 sources
Severity
9.8CRITICALNVD
EPSS
0.7%
top 28.35%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mbed MbedtlsARM Mbed TLS
Timeline
PublishedSep 5

Description

An issue was discovered in Mbed TLS 3.6 before 3.6.1. A stack buffer overflow in mbedtls_ecdsa_der_to_raw() and mbedtls_ecdsa_raw_to_der() can occur when the bits parameter is larger than the largest supported curve. In some configurations with PSA disabled, all values of bits are affected. (This never happens in internal library calls, but can affect applications that call these functions directly.)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

Alpinembed/mbedtls< 3.6.1-r0+3
NVDarm/mbed_tls3.6.0

🔴Vulnerability Details

3
CVEList
CVE-2024-45158: An issue was discovered in Mbed TLS 32024-09-05
OSV
CVE-2024-45158: An issue was discovered in Mbed TLS 32024-09-05
GHSA
GHSA-hw5v-7r63-g2h6: An issue was discovered in Mbed TLS 32024-09-05

📋Vendor Advisories

1
Debian
CVE-2024-45158: mbedtls - An issue was discovered in Mbed TLS 3.6 before 3.6.1. A stack buffer overflow in...2024
CVE-2024-45158 — Stack-based Buffer Overflow in ARM | cvebase