Primary

Context

Mbed TLS Stack Memory Vulnerability Leading to Authentication Bypass in TLS Handshake

Vulnerability

Patched

A vulnerability exists in Mbed TLS versions prior to 2.28.10 and 3.x prior to 3.6.3. In certain situations where memory allocation fails or hardware errors occur, the library improperly uses uninitialized stack memory to create the TLS Finished message. This flaw can disrupt the TLS handshake process, potentially allowing an attacker to tamper with the handshake or replay messages to impersonate a legitimate peer.

Impact

Exploitation of this vulnerability can break the security guarantees of the TLS handshake, leading to possible Man-in-the-Middle attacks or replay attacks.

Remediation

Users should upgrade to Mbed TLS 3.6.3 or Mbed TLS 2.28.10.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

5.0

exploitability

5.6

remediation

7.9

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

5.0

exploitability

5.6

remediation

7.9

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mbed TLS Stack Memory Vulnerability Leading to Authentication Bypass in TLS Handshake

Vulnerability

Impact

Remediation

Affected Products

Mbed TLS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating