threat
engine
.sh
Back
·
··:··
Home
/
Product
/
arm mbed tls
Product
arm mbed tls
73 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2026-34877
>= 2.19.0 and < 3.6.6
An issue was discovered in Mbed TLS versions from 2.19.0 up to 3.6.5, Mbed TLS 4.0.0. Insufficient protection of serialized SSL co
9.8
CRITICAL
CVE-2026-34876
>= 3.1.0 and < 3.6.6
An issue was discovered in Mbed TLS 3.x before 3.6.6. An out-of-bounds read vulnerability in mbedtls_ccm_finish() in library/ccm.c
7.5
HIGH
CVE-2026-34873
>= 3.5.0 and < 3.6.6
An issue was discovered in Mbed TLS 3.5.0 through 4.0.0. Client impersonation can occur while resuming a TLS 1.3 session.
9.1
CRITICAL
CVE-2026-34872
< 3.6.6
An issue was discovered in Mbed TLS 3.5.x and 3.6.x through 3.6.5 and TF-PSA-Crypto 1.0. There is a lack of contributory behavior
9.1
CRITICAL
CVE-2025-66442
<= 4.0.0
In Mbed TLS through 4.0.0, there is a compiler-induced timing side channel (in RSA and CBC/ECB decryption) that only occurs with L
5.1
MEDIUM
CVE-2026-34874
>= 3.5.0 and < 3.6.6
An issue was discovered in Mbed TLS through 3.6.5 and 4.x through 4.0.0. There is a NULL pointer dereference in distinguished name
7.5
HIGH
CVE-2026-34871
< 3.6.6
An issue was discovered in Mbed TLS before 3.6.6 and 4.x before 4.1.0 and TF-PSA-Crypto before 1.1.0. There is a Predictable Seed
6.7
MEDIUM
CVE-2026-25835
>= 2.18.0 and < 3.6.6
Mbed TLS before 3.6.6 and TF-PSA-Crypto before 1.1.0 misuse seeds in a Pseudo-Random Number Generator (PRNG).
7.7
HIGH
CVE-2026-25833
>= 3.5.0 and < 3.6.6
Mbed TLS 3.5.0 to 3.6.5 fixed in 3.6.6 and 4.1.0 has a buffer overflow in the x509_inet_pton_ipv6() function
7.5
HIGH
CVE-2026-34875
>= 3.5.0 and < 3.6.6
An issue was discovered in Mbed TLS through 3.6.5 and TF-PSA-Crypto 1.0.0. A buffer overflow can occur in public key export for FF
9.8
CRITICAL
CVE-2026-25834
>= 3.3.0 and < 3.6.6
Mbed TLS v3.3.0 up to 3.6.5 and 4.0.0 allows Algorithm Downgrade.
6.5
MEDIUM
CVE-2025-59438
< 3.6.5
Mbed TLS through 3.6.4 has an Observable Timing Discrepancy.
5.3
MEDIUM
CVE-2025-54764
< 3.6.5
Mbed TLS before 3.6.5 allows a local timing attack against certain RSA operations, and direct calls to mbedtls_mpi_mod_inv or mbed
6.2
MEDIUM
CVE-2025-49087
>= 3.6.1 and < 3.6.4
In Mbed TLS 3.6.1 through 3.6.3 before 3.6.4, a timing discrepancy in block cipher padding removal allows an attacker to recover t
4.0
MEDIUM
CVE-2025-47917
< 3.6.4
Mbed TLS before 3.6.4 allows a use-after-free in certain situations of applications that are developed in accordance with the docu
8.9
HIGH
CVE-2025-48965
< 3.6.4
Mbed TLS before 3.6.4 has a NULL pointer dereference because mbedtls_asn1_store_named_data can trigger conflicting data with val.p
4.0
MEDIUM
CVE-2025-52497
< 3.6.4
Mbed TLS before 3.6.4 has a PEM parsing one-byte heap-based buffer underflow, in mbedtls_pem_read_buffer and two mbedtls_pk_parse
4.8
MEDIUM
CVE-2025-52496
< 3.6.4
Mbed TLS before 3.6.4 has a race condition in AESNI detection if certain compiler optimizations occur. An attacker may be able to
7.8
HIGH
CVE-2025-49601
>= 3.3.0 and < 3.6.4
In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_import_public_key does not check that the input buffer is at least 4 bytes before readi
4.8
MEDIUM
CVE-2025-49600
>= 3.3.0 and < 3.6.4
In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_verify may accept invalid signatures if hash computation fails and internal errors go u
4.9
MEDIUM
CVE-2025-27810
< 2.28.10
Mbed TLS before 2.28.10 and 3.x before 3.6.3, in some cases of failed memory allocation or hardware errors, uses uninitialized sta
5.4
MEDIUM
CVE-2025-27809
< 2.28.10
Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted certificates for arbitrary hos
5.4
MEDIUM
CVE-2024-49195
>= 3.5.0 and < 3.6.2
Mbed TLS 3.5.x through 3.6.x before 3.6.2 has a buffer underrun in pkwrite when writing an opaque key pair
9.8
CRITICAL
CVE-2024-45159
>= 3.2.0 and < 3.6.1
An issue was discovered in Mbed TLS 3.x before 3.6.1. With TLS 1.3, when a server enables optional authentication of the client, i
9.8
CRITICAL
CVE-2024-45158
all versions
An issue was discovered in Mbed TLS 3.6 before 3.6.1. A stack buffer overflow in mbedtls_ecdsa_der_to_raw() and mbedtls_ecdsa_raw_
9.8
CRITICAL
CVE-2024-45157
>= 2.26.0 and < 2.28.9
An issue was discovered in Mbed TLS before 2.28.9 and 3.x before 3.6.1, in which the user-selected algorithm is not used. Unlike p
5.1
MEDIUM
CVE-2024-30166
>= 3.3.0 and < 3.6.0
In Mbed TLS 3.3.0 through 3.5.2 before 3.6.0, a malicious client can cause information disclosure or a denial of service because o
9.1
CRITICAL
CVE-2024-28836
>= 3.5.0 and < 3.6.0
An issue was discovered in Mbed TLS 3.5.x before 3.6.0. When negotiating the TLS version on the server side, it can fall back to t
5.4
MEDIUM
CVE-2024-28755
>= 3.5.0 and <= 3.6.0
An issue was discovered in Mbed TLS 3.5.x before 3.6.0. When an SSL context was reset with the mbedtls_ssl_session_reset() API, th
6.5
MEDIUM
CVE-2024-28960
>= 2.1.8 and < 2.28.8
An issue was discovered in Mbed TLS 2.18.0 through 2.28.x before 2.28.8 and 3.x before 3.6.0, and Mbed Crypto. The PSA Crypto API
8.2
HIGH
CVE-2024-23775
>= 2.0.0 and < 2.28.7
Integer Overflow vulnerability in Mbed TLS 2.x before 2.28.7 and 3.x before 3.5.2, allows attackers to cause a denial of service (
7.5
HIGH
CVE-2024-23170
>= 2.0.0 and < 2.28.7
An issue was discovered in Mbed TLS 2.x before 2.28.7 and 3.x before 3.5.2. There was a timing side channel in RSA private operati
5.5
MEDIUM
CVE-2024-23744
> 3.4.0 and <= 3.5.1
An issue was discovered in Mbed TLS 3.5.1. There is persistent handshake denial if a client sends a TLS 1.3 ClientHello without ex
7.5
HIGH
CVE-2023-52353
< 3.5.2
An issue was discovered in Mbed TLS through 3.5.1. In mbedtls_ssl_session_reset, the maximum negotiable TLS version is mishandled.
7.5
HIGH
CVE-2023-45199
>= 3.2.0 and < 3.5.0
Mbed TLS 3.2.x through 3.4.x before 3.5 has a Buffer Overflow that can lead to remote Code execution.
9.8
CRITICAL
CVE-2023-43615
>= 2.0.0 and < 2.28.5
Mbed TLS 2.x before 2.28.5 and 3.x before 3.5.0 has a Buffer Overflow.
7.5
HIGH
CVE-2021-36647
< 2.16.11
Use of a Broken or Risky Cryptographic Algorithm in the function mbedtls_mpi_exp_mod() in lignum.c in Mbed TLS Mbed TLS all versio
4.7
MEDIUM
CVE-2022-46393
< 2.28.2
An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0. There is a potential heap-based buffer overflow and heap-b
9.8
CRITICAL
CVE-2022-46392
< 2.28.2
An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0. An adversary with access to precise enough information abo
5.3
MEDIUM
CVE-2022-35409
< 2.28.1
An issue was discovered in Mbed TLS before 2.28.1 and 3.x before 3.2.0. In some configurations, an unauthenticated attacker can se
9.1
CRITICAL
CVE-2021-43666
<= 3.0.0
A Denial of Service vulnerability exists in mbed TLS 3.0.0 and earlier in the mbedtls_pkcs12_derivation function when an input pas
7.5
HIGH
CVE-2021-45451
< 3.1.0
In Mbed TLS before 3.1.0, psa_aead_generate_nonce allows policy bypass or oracle-based decryption when the output buffer is at mem
7.5
HIGH
CVE-2021-45450
>= 2.22.0 and < 2.28.0
In Mbed TLS before 2.28.0 and 3.x before 3.1.0, psa_cipher_generate_iv and psa_cipher_encrypt allow policy bypass or oracle-based
7.5
HIGH
CVE-2021-44732
< 2.16.12
Mbed TLS before 3.0.1 has a double free in certain out-of-memory conditions, as demonstrated by an mbedtls_ssl_set_session() failu
9.8
CRITICAL
CVE-2020-36478
< 2.7.18
An issue was discovered in Mbed TLS before 2.25.0 (and before 2.16.9 LTS and before 2.7.18 LTS). A NULL algorithm parameters entry
7.5
HIGH
CVE-2020-36477
< 2.24.0
An issue was discovered in Mbed TLS before 2.24.0. The verification of X.509 certificates when matching the expected common name (
5.9
MEDIUM
CVE-2020-36476
< 2.7.17
An issue was discovered in Mbed TLS before 2.24.0 (and before 2.16.8 LTS and before 2.7.17 LTS). There is missing zeroization of p
7.5
HIGH
CVE-2020-36475
< 2.7.18
An issue was discovered in Mbed TLS before 2.25.0 (and before 2.16.9 LTS and before 2.7.18 LTS). The calculations performed by mbe
7.5
HIGH
CVE-2020-36426
< 2.7.17
An issue was discovered in Arm Mbed TLS before 2.24.0. mbedtls_x509_crl_parse_der has a buffer over-read (of one byte).
7.5
HIGH
CVE-2020-36425
< 2.7.17
An issue was discovered in Arm Mbed TLS before 2.24.0. It incorrectly uses a revocationDate check when deciding whether to honor c
5.3
MEDIUM
CVE-2020-36424
< 2.7.17
An issue was discovered in Arm Mbed TLS before 2.24.0. An attacker can recover a private key (for RSA or static Diffie-Hellman) vi
4.7
MEDIUM
CVE-2020-36423
< 2.16.7
An issue was discovered in Arm Mbed TLS before 2.23.0. A remote attacker can recover plaintext because a certain Lucky 13 counterm
7.5
HIGH
CVE-2020-36422
< 2.16.7
An issue was discovered in Arm Mbed TLS before 2.23.0. A side channel allows recovery of an ECC private key, related to mbedtls_ec
5.3
MEDIUM
CVE-2020-36421
< 2.16.7
An issue was discovered in Arm Mbed TLS before 2.23.0. Because of a side channel in modular exponentiation, an RSA private key use
5.3
MEDIUM
CVE-2021-24119
< 2.26.0
In Trusted Firmware Mbed TLS 2.24.0, a side-channel vulnerability in base64 PEM file decoding allows system-level (administrator)
4.9
MEDIUM
CVE-2020-16150
< 2.7.17
A Lucky 13 timing side channel in mbedtls_ssl_decrypt_buf in library/ssl_msg.c in Trusted Firmware Mbed TLS through 2.23.0 allows
5.5
MEDIUM
CVE-2020-10932
>= 2.7.0 and < 2.7.15
An issue was discovered in Arm Mbed TLS before 2.16.6 and 2.7.x before 2.7.15. An attacker that can get precise enough side-channe
4.7
MEDIUM
CVE-2020-10941
< 2.16.5
Arm Mbed TLS before 2.16.5 allows attackers to obtain sensitive information (an RSA private key) by measuring cache usage during a
5.9
MEDIUM
CVE-2019-18222
< 2.7.13
The ECDSA signature implementation in ecdsa.c in Arm Mbed Crypto 2.1 and Mbed TLS through 2.19.1 does not reduce the blinded scala
4.7
MEDIUM
CVE-2019-16910
< 2.7.12
Arm Mbed TLS before 2.19.0 and Arm Mbed Crypto before 2.0.0, when deterministic ECDSA is enabled, use an RNG with insufficient ent
5.3
MEDIUM
CVE-2018-19608
>= 2.1.0 and < 2.1.17
Arm Mbed TLS before 2.14.1, before 2.7.8, and before 2.1.17 allows a local unprivileged attacker to recover the plaintext of RSA d
4.7
MEDIUM
CVE-2018-0498
< 2.1.14
ARM mbed TLS before 2.12.0, before 2.7.5, and before 2.1.14 allows local users to achieve partial plaintext recovery (for a CBC ba
4.7
MEDIUM
CVE-2018-0497
< 2.1.14
ARM mbed TLS before 2.12.0, before 2.7.5, and before 2.1.14 allows remote attackers to achieve partial plaintext recovery (for a C
5.9
MEDIUM
CVE-2018-1000520
<= 2.7.0
ARM mbedTLS version 2.7.0 and earlier contains a Ciphersuite Allows Incorrectly Signed Certificates vulnerability in mbedtls_ssl_g
7.5
HIGH
CVE-2018-9989
< 2.1.11
ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has a buffer over-read in ssl_parse_server_psk_hint() that could cause
7.5
HIGH
CVE-2018-9988
< 2.1.11
ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has a buffer over-read in ssl_parse_server_key_exchange() that could ca
7.5
HIGH
CVE-2017-18187
< 2.7.0
In ARM mbed TLS before 2.7.0, there is a bounds-check bypass through an integer overflow in PSK identity parsing in the ssl_parse_
9.8
CRITICAL
CVE-2018-0488
>= 1.3.0 and < 1.3.22
ARM mbed TLS before 1.3.22, before 2.1.10, and before 2.7.0, when the truncated HMAC extension and CBC are used, allows remote att
9.8
CRITICAL
CVE-2018-0487
>= 1.3.8 and < 1.3.22
ARM mbed TLS before 1.3.22, before 2.1.10, and before 2.7.0 allows remote attackers to execute arbitrary code or cause a denial of
9.8
CRITICAL
CVE-2017-14032
all versions
ARM mbed TLS before 1.3.21 and 2.x before 2.1.9, if optional authentication is configured, allows remote attackers to bypass peer
8.1
HIGH
CVE-2017-2784
<= 1.3.18
An exploitable free of a stack pointer vulnerability exists in the x509 certificate parsing code of ARM mbed TLS before 1.3.19, 2.
8.1
HIGH
CVE-2015-8036
>= 1.3.0 and < 1.3.14
Heap-based buffer overflow in ARM mbed TLS (formerly PolarSSL) 1.3.x before 1.3.14 and 2.x before 2.1.2 allows remote SSL servers
CVE-2015-5291
>= 1.3.0 and < 1.3.14
Heap-based buffer overflow in PolarSSL 1.x before 1.2.17 and ARM mbed TLS (formerly PolarSSL) 1.3.x before 1.3.14 and 2.x before 2
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin