Mbed Mbedtls vulnerabilities
52 known vulnerabilities affecting mbed/mbedtls.
Total CVEs
52
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL10HIGH14MEDIUM26LOW2
Vulnerabilities
Page 3 of 3
CVE-2024-23170P4MEDIUMCVSS 5.5≥ 0, < 2.28.7-12024-01-31
CVE-2024-23170 [MEDIUM] CVE-2024-23170: An issue was discovered in Mbed TLS 2
An issue was discovered in Mbed TLS 2.x before 2.28.7 and 3.x before 3.5.2. There was a timing side channel in RSA private operations. This side channel could be sufficient for a local attacker to recover the plaintext. It requires the attacker to send a large number of messages for decryption, as described in "Everlasting ROBOT: the Marvin Attack" by Hubert Kario.
osv
CVE-2021-24119P4MEDIUMCVSS 4.9≥ 0, < 2.16.9-0.1+deb11u1≥ 0, < 2.16.11-0.12021-07-14
CVE-2021-24119 [MEDIUM] CVE-2021-24119: In Trusted Firmware Mbed TLS 2
In Trusted Firmware Mbed TLS 2.24.0, a side-channel vulnerability in base64 PEM file decoding allows system-level (administrator) attackers to obtain information about secret RSA keys via a controlled-channel and side-channel attack on software running in isolated environments that can be single stepped, especially Intel SGX.
osv
CVE-2025-27810P4MEDIUMCVSS 4.8fixed in 2.28.10≥ 3.0.0, < 3.6.32025-03-25
CVE-2025-27810 [MEDIUM] CWE-908 CVE-2025-27810: Mbed TLS before 2.28.10 and 3.x before 3.6.3, in some cases of failed memory allocation or hardware
Mbed TLS before 2.28.10 and 3.x before 3.6.3, in some cases of failed memory allocation or hardware errors, uses uninitialized stack memory to compose the TLS Finished message, potentially leading to authentication bypasses such as replays.
nvdosv
CVE-2025-52497P4MEDIUMCVSS 4.8fixed in 3.6.42025-07-04
CVE-2025-52497 [MEDIUM] CWE-193 CVE-2025-52497: Mbed TLS before 3.6.4 has a PEM parsing one-byte heap-based buffer underflow, in mbedtls_pem_read_bu
Mbed TLS before 3.6.4 has a PEM parsing one-byte heap-based buffer underflow, in mbedtls_pem_read_buffer and two mbedtls_pk_parse functions, via untrusted PEM input.
nvdosv
CVE-2020-10932P4MEDIUMCVSS 4.7≥ 0, < 2.16.9-0.12020-04-15
CVE-2020-10932 [MEDIUM] CVE-2020-10932: An issue was discovered in Arm Mbed TLS before 2
An issue was discovered in Arm Mbed TLS before 2.16.6 and 2.7.x before 2.7.15. An attacker that can get precise enough side-channel measurements can recover the long-term ECDSA private key by (1) reconstructing the projective coordinate of the result of scalar multiplication by exploiting side channels in the conversion to affine coordinates; (2) using an attack described by Naccache, Smart, and Stern in 200
osv
CVE-2021-36647P4MEDIUMCVSS 4.7≥ 0, < 2.16.9-0.1+deb11u1≥ 0, < 2.16.11-0.12023-01-17
CVE-2021-36647 [MEDIUM] CVE-2021-36647: Use of a Broken or Risky Cryptographic Algorithm in the function mbedtls_mpi_exp_mod() in lignum
Use of a Broken or Risky Cryptographic Algorithm in the function mbedtls_mpi_exp_mod() in lignum.c in Mbed TLS Mbed TLS all versions before 3.0.0, 2.27.0 or 2.16.11 allows attackers with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave such as SGX or the TrustZone secure world) to
osv
CVE-2025-49600P4MEDIUMCVSS 4.9≥ 3.3.0, < 3.6.42025-07-04
CVE-2025-49600 [MEDIUM] CWE-325 CVE-2025-49600: In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_verify may accept invalid signatures if hash computation
In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_verify may accept invalid signatures if hash computation fails and internal errors go unchecked, enabling LMS (Leighton-Micali Signature) forgery in a fault scenario. Specifically, unchecked return values in mbedtls_lms_verify allow an attacker (who can induce a hardware hash accelerator fault) to bypass LMS
nvdosv
CVE-2018-0498P4MEDIUMCVSS 4.7≥ 0, < 2.12.0-12018-07-28
CVE-2018-0498 [MEDIUM] CVE-2018-0498: ARM mbed TLS before 2
ARM mbed TLS before 2.12.0, before 2.7.5, and before 2.1.14 allows local users to achieve partial plaintext recovery (for a CBC based ciphersuite) via a cache-based side-channel attack.
osv
CVE-2020-36424P4MEDIUMCVSS 4.7≥ 0, < 2.16.9-0.12021-07-19
CVE-2020-36424 [MEDIUM] CVE-2020-36424: An issue was discovered in Arm Mbed TLS before 2
An issue was discovered in Arm Mbed TLS before 2.24.0. An attacker can recover a private key (for RSA or static Diffie-Hellman) via a side-channel attack against generation of base blinding/unblinding values.
osv
CVE-2018-19608P4MEDIUMCVSS 4.7≥ 0, < 2.14.1-12018-12-05
CVE-2018-19608 [MEDIUM] CVE-2018-19608: Arm Mbed TLS before 2
Arm Mbed TLS before 2.14.1, before 2.7.8, and before 2.1.17 allows a local unprivileged attacker to recover the plaintext of RSA decryption, which is used in RSA-without-(EC)DH(E) cipher suites.
osv
CVE-2019-18222P4MEDIUMCVSS 4.7≥ 0, < 2.16.4-12020-01-23
CVE-2019-18222 [MEDIUM] CVE-2019-18222: The ECDSA signature implementation in ecdsa
The ECDSA signature implementation in ecdsa.c in Arm Mbed Crypto 2.1 and Mbed TLS through 2.19.1 does not reduce the blinded scalar before computing the inverse, which allows a local attacker to recover the private key via side-channel attacks.
osv
CVE-2025-49087P4LOWCVSS 3.7≥ 3.6.1, < 3.6.42025-07-20
CVE-2025-49087 [LOW] CWE-385 CVE-2025-49087: In Mbed TLS 3.6.1 through 3.6.3 before 3.6.4, a timing discrepancy in block cipher padding removal a
In Mbed TLS 3.6.1 through 3.6.3 before 3.6.4, a timing discrepancy in block cipher padding removal allows an attacker to recover the plaintext when PKCS#7 padding mode is used.
nvdosv
← Previous3 / 3