CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2026-34877

CVSS 9.8v3.1pub. 2026-04-02upd. 2026-06-05

An issue was discovered in Mbed TLS versions from 2.19.0 up to 3.6.5, Mbed TLS 4.0.0. Insufficient protection of serialized SSL context or session structures allows an attacker who can modify the serialized structures to induce memory corruption, leading to arbitrary code execution. This is caused by Incorrect Use of Privileged APIs.

🤖 AI Analysis
How it works

Mbed TLS enables serialization and deserialization of SSL context and session structures — this mechanism is used, among other things, to save and restore the state of TLS connections. Insufficient protection of these structures during deserialization means that an attacker capable of modifying serialized data can trigger memory corruption. The vulnerability is caused by improper use of privileged APIs (CWE-250), which combined with the lack of data validation during deserialization (CWE-502) opens the way to arbitrary code execution.

Impact

An attacker can lead to arbitrary code execution in the context of a process using the vulnerable library, which in practice means the possibility of complete system takeover, breach of data confidentiality and integrity, and causing denial of service.

Mitigation & patch

Apply patches available from the manufacturer according to the references. Detailed information about patched versions is available in the official Mbed TLS security bulletin at: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-serialized-data/

Who is affected

Arm Mbed TLS versions from 2.19.0 to 3.6.5 inclusive and Mbed TLS 4.0.0.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Arm Mbed Tls

    APP
    Arm
    2.19.0 – 3.6.6 (bez)
  • Trustedfirmware Mbed Tls

    APP
    Trustedfirmware
    4.0.0
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
RCEDeserialization
CWE
References

Related vulnerabilities

CVE-2026-34873CRITICAL9.1PL ✓ten sam produkt

Arm Mbed TLS: podszywanie się pod klienta przy wznawianiu sesji TLS 1.3

CVE-2026-34872CRITICAL9.1PL ✓ten sam produkt

Brak weryfikacji wkładu strony w FFDH w Mbed TLS i TF-PSA-Crypto

CVE-2026-34875CRITICAL9.8PL ✓ten sam produkt

Buffer overflow w eksporcie klucza publicznego FFDH w Mbed TLS i TF-PSA-Crypto

CVE-2024-49195CRITICAL9.8PL ✓ten sam produkt

Buffer underrun w Mbed TLS podczas zapisu nieprzezroczystej pary kluczy

CVE-2024-45159CRITICAL9.8PL ✓ten sam produkt

Arm Mbed TLS: błąd weryfikacji certyfikatu klienta w TLS 1.3