CVE-2026-34877Execution with Unnecessary Privileges in ARM Mbed TLS

CWE-250Execution with Unnecessary PrivilegesCWE-502Deserialization of Untrusted Data18 documents7 sources
Severity
9.8CRITICALNVD
EPSS
0.1%
top 64.45%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
ARM Mbed TLS
Timeline
PublishedApr 2
Latest updateApr 3

Description

An issue was discovered in Mbed TLS versions from 2.19.0 up to 3.6.5, Mbed TLS 4.0.0. Insufficient protection of serialized SSL context or session structures allows an attacker who can modify the serialized structures to induce memory corruption, leading to arbitrary code execution. This is caused by Incorrect Use of Privileged APIs.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

NVDarm/mbed_tls2.19.03.6.6+1

🔴Vulnerability Details

4
OSV
CVE-2026-34877: (An issue was discovered in Mbed TLS versions from 22026-04-03
CVEList
CVE-2026-34877: An issue was discovered in Mbed TLS versions from 22026-04-02
OSV
CVE-2026-34877: An issue was discovered in Mbed TLS versions from 22026-04-02
GHSA
GHSA-xg3m-c464-j5fh: An issue was discovered in Mbed TLS versions from 22026-04-02

📋Vendor Advisories

1
Debian
CVE-2026-34877: mbedtls - An issue was discovered in Mbed TLS versions from 2.19.0 up to 3.6.5, Mbed TLS 4...2026

🕵️Threat Intelligence

11
Wiz
CVE-2026-34873 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-34871 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-25835 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-34876 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-25833 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
Bugzilla
CVE-2026-34877 micropython: Risk of insufficient protection of serialized session or context data leading to potential memory safety issues [fedora-all]2026-04-02
CVE-2026-34877 — Execution with Unnecessary Privileges | cvebase