Mbed Mbedtls vulnerabilities

CVE-2021-44732 [CRITICAL] mbedtls vulnerabilities mbedtls vulnerabilities It was discovered that Mbed TLS incorrectly handled memory allocation failures. A remote attacker could possibly use this issue to crash the program. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2021-44732) Jonathan Winzig discovered that Mbed TLS incorrectly handled crafted inputs. A remote attacker could possibly use this issue to crash the program, resulting in a denial of service. This issue o

CVE-2025-59438 [MEDIUM] CVE-2025-59438: Mbed TLS through 3 Mbed TLS through 3.6.4 has an Observable Timing Discrepancy.

CVE-2025-54764 [MEDIUM] CVE-2025-54764: Mbed TLS before 3 Mbed TLS before 3.6.5 allows a local timing attack against certain RSA operations, and direct calls to mbedtls_mpi_mod_inv or mbedtls_mpi_gcd.

CVE-2025-47917 [CRITICAL] CWE-416 CVE-2025-47917: Mbed TLS before 3.6.4 allows a use-after-free in certain situations of applications that are develop Mbed TLS before 3.6.4 allows a use-after-free in certain situations of applications that are developed in accordance with the documentation. The function mbedtls_x509_string_to_names() takes a head argument that is documented as an output argument. The documentation does not suggest that the function will free that pointer; however, the function d

CVE-2025-48965 [HIGH] CWE-696 CVE-2025-48965: Mbed TLS before 3.6.4 has a NULL pointer dereference because mbedtls_asn1_store_named_data can trigg Mbed TLS before 3.6.4 has a NULL pointer dereference because mbedtls_asn1_store_named_data can trigger conflicting data with val.p of NULL but val.len greater than zero.

CVE-2025-49087 [LOW] CWE-385 CVE-2025-49087: In Mbed TLS 3.6.1 through 3.6.3 before 3.6.4, a timing discrepancy in block cipher padding removal a In Mbed TLS 3.6.1 through 3.6.3 before 3.6.4, a timing discrepancy in block cipher padding removal allows an attacker to recover the plaintext when PKCS#7 padding mode is used.

CVE-2025-52496 [HIGH] CWE-733 CVE-2025-52496: Mbed TLS before 3.6.4 has a race condition in AESNI detection if certain compiler optimizations occu Mbed TLS before 3.6.4 has a race condition in AESNI detection if certain compiler optimizations occur. An attacker may be able to extract an AES key from a multithreaded program, or perform a GCM forgery.

CVE-2025-49601 [MEDIUM] CWE-125 CVE-2025-49601: In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_import_public_key does not check that the input buffer is In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_import_public_key does not check that the input buffer is at least 4 bytes before reading a 32-bit field, allowing a possible out-of-bounds read on truncated input. Specifically, an out-of-bounds read in mbedtls_lms_import_public_key allows context-dependent attackers to trigger a crash or limited adjacent-

CVE-2025-52497 [MEDIUM] CWE-193 CVE-2025-52497: Mbed TLS before 3.6.4 has a PEM parsing one-byte heap-based buffer underflow, in mbedtls_pem_read_bu Mbed TLS before 3.6.4 has a PEM parsing one-byte heap-based buffer underflow, in mbedtls_pem_read_buffer and two mbedtls_pk_parse functions, via untrusted PEM input.

CVE-2025-49600 [MEDIUM] CWE-325 CVE-2025-49600: In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_verify may accept invalid signatures if hash computation In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_verify may accept invalid signatures if hash computation fails and internal errors go unchecked, enabling LMS (Leighton-Micali Signature) forgery in a fault scenario. Specifically, unchecked return values in mbedtls_lms_verify allow an attacker (who can induce a hardware hash accelerator fault) to bypass LMS

CVE-2025-27810 [MEDIUM] CWE-908 CVE-2025-27810: Mbed TLS before 2.28.10 and 3.x before 3.6.3, in some cases of failed memory allocation or hardware Mbed TLS before 2.28.10 and 3.x before 3.6.3, in some cases of failed memory allocation or hardware errors, uses uninitialized stack memory to compose the TLS Finished message, potentially leading to authentication bypasses such as replays.

CVE-2025-27809 [MEDIUM] CWE-1188 CVE-2025-27809: Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted certificates for arbitrary hostnames unless the TLS client application calls mbedtls_ssl_set_hostname.

CVE-2024-49195 [CRITICAL] CVE-2024-49195: Mbed TLS 3 Mbed TLS 3.5.x through 3.6.x before 3.6.2 has a buffer underrun in pkwrite when writing an opaque key pair

CVE-2024-45159 [CRITICAL] CVE-2024-45159: An issue was discovered in Mbed TLS 3 An issue was discovered in Mbed TLS 3.x before 3.6.1. With TLS 1.3, when a server enables optional authentication of the client, if the client-provided certificate does not have appropriate values in if keyUsage or extKeyUsage extensions, then the return value of mbedtls_ssl_get_verify_result() would incorrectly have the MBEDTLS_X509_BADCERT_KEY_USAGE and MBEDTLS_X509_BADCERT_KEY_USAGE bits clear. As a result, an att

CVE-2024-45158 [CRITICAL] CVE-2024-45158: An issue was discovered in Mbed TLS 3 An issue was discovered in Mbed TLS 3.6 before 3.6.1. A stack buffer overflow in mbedtls_ecdsa_der_to_raw() and mbedtls_ecdsa_raw_to_der() can occur when the bits parameter is larger than the largest supported curve. In some configurations with PSA disabled, all values of bits are affected. (This never happens in internal library calls, but can affect applications that call these functions directly.)

CVE-2024-28755 [MEDIUM] CVE-2024-28755: An issue was discovered in Mbed TLS 3 An issue was discovered in Mbed TLS 3.5.x before 3.6.0. When an SSL context was reset with the mbedtls_ssl_session_reset() API, the maximum TLS version to be negotiated was not restored to the configured one. An attacker was able to prevent an Mbed TLS server from establishing any TLS 1.3 connection, potentially resulting in a Denial of Service or forced version downgrade from TLS 1.3 to TLS 1.2.

CVE-2024-28960 [HIGH] CVE-2024-28960: An issue was discovered in Mbed TLS 2 An issue was discovered in Mbed TLS 2.18.0 through 2.28.x before 2.28.8 and 3.x before 3.6.0, and Mbed Crypto. The PSA Crypto API mishandles shared memory.

CVE-2024-23775 [HIGH] CVE-2024-23775: Integer Overflow vulnerability in Mbed TLS 2 Integer Overflow vulnerability in Mbed TLS 2.x before 2.28.7 and 3.x before 3.5.2, allows attackers to cause a denial of service (DoS) via mbedtls_x509_set_extension().

CVE-2024-23170 [MEDIUM] CVE-2024-23170: An issue was discovered in Mbed TLS 2 An issue was discovered in Mbed TLS 2.x before 2.28.7 and 3.x before 3.5.2. There was a timing side channel in RSA private operations. This side channel could be sufficient for a local attacker to recover the plaintext. It requires the attacker to send a large number of messages for decryption, as described in "Everlasting ROBOT: the Marvin Attack" by Hubert Kario.

CVE-2021-36647 [MEDIUM] CVE-2021-36647: Use of a Broken or Risky Cryptographic Algorithm in the function mbedtls_mpi_exp_mod() in lignum Use of a Broken or Risky Cryptographic Algorithm in the function mbedtls_mpi_exp_mod() in lignum.c in Mbed TLS Mbed TLS all versions before 3.0.0, 2.27.0 or 2.16.11 allows attackers with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave such as SGX or the TrustZone secure world) to