Mbed Tls Security Vulnerabilities and Issues — Mbed Tls CVE List

Lucene search

ArmMbed Tls

12 matches found

CVE•added 2024/03/29 6:15 a.m.•108 views

CVE-2024-28960

An issue was discovered in Mbed TLS 2.18.0 through 2.28.x before 2.28.8 and 3.x before 3.6.0, and Mbed Crypto. The PSA Crypto API mishandles shared memory.

8.2CVSS6.3AI score0.00134EPSS

CVE•added 2024/01/31 8:15 a.m.•95 views

CVE-2024-23170

An issue was discovered in Mbed TLS 2.x before 2.28.7 and 3.x before 3.5.2. There was a timing side channel in RSA private operations. This side channel could be sufficient for a local attacker to recover the plaintext. It requires the attacker to send a large number of messages for decryption, as ...

5.5CVSS5.3AI score0.00175EPSS

CVE•added 2024/04/03 3:15 a.m.•84 views

CVE-2024-28755

An issue was discovered in Mbed TLS 3.5.x before 3.6.0. When an SSL context was reset with the mbedtls_ssl_session_reset() API, the maximum TLS version to be negotiated was not restored to the configured one. An attacker was able to prevent an Mbed TLS server from establishing any TLS 1.3 connectio...

6.5CVSS6.7AI score0.00127EPSS

CVE•added 2024/01/31 8:15 a.m.•83 views

CVE-2024-23775

Integer Overflow vulnerability in Mbed TLS 2.x before 2.28.7 and 3.x before 3.5.2, allows attackers to cause a denial of service (DoS) via mbedtls_x509_set_extension().

7.5CVSS7.1AI score0.00285EPSS

CVE•added 2024/01/21 11:15 p.m.•65 views

CVE-2023-52353

An issue was discovered in Mbed TLS through 3.5.1. In mbedtls_ssl_session_reset, the maximum negotiable TLS version is mishandled. For example, if the last connection negotiated TLS 1.2, then 1.2 becomes the new maximum.

7.5CVSS7.5AI score0.00061EPSS

CVE•added 2024/04/03 3:15 a.m.•57 views

CVE-2024-30166

In Mbed TLS 3.3.0 through 3.5.2 before 3.6.0, a malicious client can cause information disclosure or a denial of service because of a stack buffer over-read (of less than 256 bytes) in a TLS 1.3 server via a TLS 3.1 ClientHello.

9.1CVSS6.8AI score0.00352EPSS

CVE•added 2024/09/05 7:15 p.m.•49 views

CVE-2024-45157

An issue was discovered in Mbed TLS before 2.28.9 and 3.x before 3.6.1, in which the user-selected algorithm is not used. Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when MBEDTLS_PSA_CRYPTO_EXTERNAL_R...

5.1CVSS6.9AI score0.00018EPSS

CVE•added 2024/09/05 7:15 p.m.•47 views

CVE-2024-45159

An issue was discovered in Mbed TLS 3.x before 3.6.1. With TLS 1.3, when a server enables optional authentication of the client, if the client-provided certificate does not have appropriate values in if keyUsage or extKeyUsage extensions, then the return value of mbedtls_ssl_get_verify_result() wou...

9.8CVSS7.1AI score0.00241EPSS

CVE•added 2024/10/15 8:15 p.m.•46 views

CVE-2024-49195

Mbed TLS 3.5.x through 3.6.x before 3.6.2 has a buffer underrun in pkwrite when writing an opaque key pair

9.8CVSS7.2AI score0.00342EPSS

CVE•added 2024/01/21 11:15 p.m.•45 views

CVE-2024-23744

An issue was discovered in Mbed TLS 3.5.1. There is persistent handshake denial if a client sends a TLS 1.3 ClientHello without extensions.

7.5CVSS7.4AI score0.00073EPSS

CVE•added 2024/04/03 3:15 a.m.•42 views

CVE-2024-28836

An issue was discovered in Mbed TLS 3.5.x before 3.6.0. When negotiating the TLS version on the server side, it can fall back to the TLS 1.2 implementation of the protocol if it is disabled. If the TLS 1.2 implementation was disabled at build time, a TLS 1.2 client could put a TLS 1.3-only server i...

5.4CVSS6.6AI score0.00297EPSS

CVE•added 2024/09/05 7:15 p.m.•36 views

CVE-2024-45158

An issue was discovered in Mbed TLS 3.6 before 3.6.1. A stack buffer overflow in mbedtls_ecdsa_der_to_raw() and mbedtls_ecdsa_raw_to_der() can occur when the bits parameter is larger than the largest supported curve. In some configurations with PSA disabled, all values of bits are affected. (This n...

9.8CVSS7.5AI score0.00528EPSS