CVE-2025-27810Use of Uninitialized Resource in Mbedtls

CWE-908Use of Uninitialized Resource8 documents7 sources
Severity
4.8MEDIUMNVD
CNA5.4OSV9.8
EPSS
0.1%
top 72.95%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mbed MbedtlsARM Mbed TLS
Timeline
PublishedMar 25
Latest updateMar 25

Description

Mbed TLS before 2.28.10 and 3.x before 3.6.3, in some cases of failed memory allocation or hardware errors, uses uninitialized stack memory to compose the TLS Finished message, potentially leading to authentication bypasses such as replays.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 2.2 | Impact: 2.5

Affected Packages4 packages

CVEListV5mbed/mbedtls3.0.03.6.3+1
NVDarm/mbed_tls3.0.03.6.3+1
Debianmbed/mbedtls< 3.6.3-1+1
Ubuntumbed/mbedtls< 2.8.0-1ubuntu0.1~esm1+3

🔴Vulnerability Details

4
OSV
mbedtls vulnerabilities2026-03-25
CVEList
CVE-2025-27810: Mbed TLS before 22025-03-25
OSV
CVE-2025-27810: Mbed TLS before 22025-03-25
GHSA
GHSA-vvqm-mmw4-qwg5: Mbed TLS before 22025-03-25

📋Vendor Advisories

3
Ubuntu
Mbed TLS vulnerabilities2026-03-25
Microsoft
Mbed TLS before 2.28.10 and 3.x before 3.6.3, in some cases of failed memory allocation or hardware errors, uses uninitialized stack memory to compose the TLS Finished message, potentially leading to 2025-03-11
Debian
CVE-2025-27810: mbedtls - Mbed TLS before 2.28.10 and 3.x before 3.6.3, in some cases of failed memory all...2025
CVE-2025-27810 — Use of Uninitialized Resource | cvebase