Mbed Mbedtls vulnerabilities
52 known vulnerabilities affecting mbed/mbedtls.
Total CVEs
52
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL10HIGH14MEDIUM26LOW2
Vulnerabilities
Page 2 of 3
CVE-2020-36426P3HIGHCVSS 7.5≥ 0, < 2.16.9-0.12021-07-19
CVE-2020-36426 [HIGH] CVE-2020-36426: An issue was discovered in Arm Mbed TLS before 2
An issue was discovered in Arm Mbed TLS before 2.24.0. mbedtls_x509_crl_parse_der has a buffer over-read (of one byte).
osv
CVE-2015-5291P3MEDIUMCVSS 6.8≥ 0, < 2.2.1-22015-11-02
CVE-2015-5291 [MEDIUM] CVE-2015-5291: Heap-based buffer overflow in PolarSSL 1
Heap-based buffer overflow in PolarSSL 1.x before 1.2.17 and ARM mbed TLS (formerly PolarSSL) 1.3.x before 1.3.14 and 2.x before 2.1.2 allows remote SSL servers to cause a denial of service (client crash) and possibly execute arbitrary code via a long hostname to the server name indication (SNI) extension, which is not properly handled when creating a ClientHello message. NOTE: this identifier has been SPLIT per ADT3
osv
CVE-2025-49601P3MEDIUMCVSS 6.5≥ 3.3.0, < 3.6.42025-07-04
CVE-2025-49601 [MEDIUM] CWE-125 CVE-2025-49601: In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_import_public_key does not check that the input buffer is
In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_import_public_key does not check that the input buffer is at least 4 bytes before reading a 32-bit field, allowing a possible out-of-bounds read on truncated input. Specifically, an out-of-bounds read in mbedtls_lms_import_public_key allows context-dependent attackers to trigger a crash or limited adjacent-
nvdosv
CVE-2018-9989P4HIGHCVSS 7.5≥ 0, < 2.8.0-12018-04-10
CVE-2018-9989 [HIGH] CVE-2018-9989: ARM mbed TLS before 2
ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has a buffer over-read in ssl_parse_server_psk_hint() that could cause a crash on invalid input.
osv
CVE-2018-9988P4HIGHCVSS 7.5≥ 0, < 2.8.0-12018-04-10
CVE-2018-9988 [HIGH] CVE-2018-9988: ARM mbed TLS before 2
ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has a buffer over-read in ssl_parse_server_key_exchange() that could cause a crash on invalid input.
osv
CVE-2024-23775P4HIGHCVSS 7.5≥ 0, < 2.28.7-12024-01-31
CVE-2024-23775 [HIGH] CVE-2024-23775: Integer Overflow vulnerability in Mbed TLS 2
Integer Overflow vulnerability in Mbed TLS 2.x before 2.28.7 and 3.x before 3.5.2, allows attackers to cause a denial of service (DoS) via mbedtls_x509_set_extension().
osv
CVE-2024-28755P4MEDIUMCVSS 6.5≥ 0, < 3.6.0-32024-04-03
CVE-2024-28755 [MEDIUM] CVE-2024-28755: An issue was discovered in Mbed TLS 3
An issue was discovered in Mbed TLS 3.5.x before 3.6.0. When an SSL context was reset with the mbedtls_ssl_session_reset() API, the maximum TLS version to be negotiated was not restored to the configured one. An attacker was able to prevent an Mbed TLS server from establishing any TLS 1.3 connection, potentially resulting in a Denial of Service or forced version downgrade from TLS 1.3 to TLS 1.2.
osv
CVE-2015-8036P4MEDIUMCVSS 6.8≥ 0, < 2.2.1-22015-11-02
CVE-2015-8036 [MEDIUM] CVE-2015-8036: Heap-based buffer overflow in ARM mbed TLS (formerly PolarSSL) 1
Heap-based buffer overflow in ARM mbed TLS (formerly PolarSSL) 1.3.x before 1.3.14 and 2.x before 2.1.2 allows remote SSL servers to cause a denial of service (client crash) and possibly execute arbitrary code via a long session ticket name to the session ticket extension, which is not properly handled when creating a ClientHello message to resume a session. NOTE: this identifier was SPLIT from
osv
CVE-2018-0497P4LOWCVSS 2.6≥ 0, < 2.12.0-12018-07-28
CVE-2018-0497 [LOW] CVE-2018-0497: ARM mbed TLS before 2
ARM mbed TLS before 2.12.0, before 2.7.5, and before 2.1.14 allows remote attackers to achieve partial plaintext recovery (for a CBC based ciphersuite) via a timing-based side-channel attack. This vulnerability exists because of an incorrect fix (with a wrong SHA-384 calculation) for CVE-2013-0169.
osv
CVE-2020-36477P4MEDIUMCVSS 5.9≥ 0, < 2.28.0-0.32021-08-23
CVE-2020-36477 [MEDIUM] CVE-2020-36477: An issue was discovered in Mbed TLS before 2
An issue was discovered in Mbed TLS before 2.24.0. The verification of X.509 certificates when matching the expected common name (the cn argument of mbedtls_x509_crt_verify) with the actual certificate name is mishandled: when the subjecAltName extension is present, the expected name is compared to any name in that extension regardless of its type. This means that an attacker could impersonate a 4-byte or 16-byt
osv
CVE-2019-16910P4MEDIUMCVSS 5.3≥ 0, < 2.16.3-12019-09-26
CVE-2019-16910 [MEDIUM] CVE-2019-16910: Arm Mbed TLS before 2
Arm Mbed TLS before 2.19.0 and Arm Mbed Crypto before 2.0.0, when deterministic ECDSA is enabled, use an RNG with insufficient entropy for blinding, which might allow an attacker to recover a private key via side-channel attacks if a victim signs the same message many times. (For Mbed TLS, the fix is also available in versions 2.7.12 and 2.16.3.)
osv
CVE-2025-27809P4MEDIUMCVSS 5.4fixed in 2.28.10≥ 3.0.0, < 3.6.32025-03-25
CVE-2025-27809 [MEDIUM] CWE-1188 CVE-2025-27809: Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted
Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted certificates for arbitrary hostnames unless the TLS client application calls mbedtls_ssl_set_hostname.
nvdosv
CVE-2020-10941P4MEDIUMCVSS 5.9≥ 0, < 2.16.5-12020-03-24
CVE-2020-10941 [MEDIUM] CVE-2020-10941: Arm Mbed TLS before 2
Arm Mbed TLS before 2.16.5 allows attackers to obtain sensitive information (an RSA private key) by measuring cache usage during an import.
osv
CVE-2020-36421P4MEDIUMCVSS 5.3≥ 0, < 2.16.9-0.12021-07-19
CVE-2020-36421 [MEDIUM] CVE-2020-36421: An issue was discovered in Arm Mbed TLS before 2
An issue was discovered in Arm Mbed TLS before 2.23.0. Because of a side channel in modular exponentiation, an RSA private key used in a secure enclave could be disclosed.
osv
CVE-2020-36425P4MEDIUMCVSS 5.3≥ 0, < 2.16.9-0.12021-07-19
CVE-2020-36425 [MEDIUM] CVE-2020-36425: An issue was discovered in Arm Mbed TLS before 2
An issue was discovered in Arm Mbed TLS before 2.24.0. It incorrectly uses a revocationDate check when deciding whether to honor certificate revocation via a CRL. In some situations, an attacker can exploit this by changing the local clock.
osv
CVE-2025-54764P4MEDIUMCVSS 6.2≥ 0, < 3.6.5-0.1~deb13u1≥ 0, < 3.6.5-0.12025-10-20
CVE-2025-54764 [MEDIUM] CVE-2025-54764: Mbed TLS before 3
Mbed TLS before 3.6.5 allows a local timing attack against certain RSA operations, and direct calls to mbedtls_mpi_mod_inv or mbedtls_mpi_gcd.
osv
CVE-2020-36422P4MEDIUMCVSS 5.3≥ 0, < 2.16.9-0.12021-07-19
CVE-2020-36422 [MEDIUM] CVE-2020-36422: An issue was discovered in Arm Mbed TLS before 2
An issue was discovered in Arm Mbed TLS before 2.23.0. A side channel allows recovery of an ECC private key, related to mbedtls_ecp_check_pub_priv, mbedtls_pk_parse_key, mbedtls_pk_parse_keyfile, mbedtls_ecp_mul, and mbedtls_ecp_mul_restartable.
osv
CVE-2022-46392P4MEDIUMCVSS 5.3≥ 0, < 2.16.9-0.1+deb11u1≥ 0, < 2.28.2-12022-12-15
CVE-2022-46392 [MEDIUM] CVE-2022-46392: An issue was discovered in Mbed TLS before 2
An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0. An adversary with access to precise enough information about memory accesses (typically, an untrusted operating system attacking a secure enclave) can recover an RSA private key after observing the victim performing a single private-key operation, if the window size (MBEDTLS_MPI_WINDOW_SIZE) used for the exponentiation is 3 or smaller.
osv
CVE-2025-59438P4MEDIUMCVSS 5.3≥ 0, < 3.6.5-0.1~deb13u1≥ 0, < 3.6.5-0.12025-10-21
CVE-2025-59438 [MEDIUM] CVE-2025-59438: Mbed TLS through 3
Mbed TLS through 3.6.4 has an Observable Timing Discrepancy.
osv
CVE-2020-16150P4MEDIUMCVSS 5.5≥ 0, < 2.16.9-0.12020-09-02
CVE-2020-16150 [MEDIUM] CVE-2020-16150: A Lucky 13 timing side channel in mbedtls_ssl_decrypt_buf in library/ssl_msg
A Lucky 13 timing side channel in mbedtls_ssl_decrypt_buf in library/ssl_msg.c in Trusted Firmware Mbed TLS through 2.23.0 allows an attacker to recover secret key information. This affects CBC mode because of a computed time difference based on a padding length.
osv