Primary

Context

Mbed TLS Null Pointer Dereference Vulnerability in Distinguished Name Parsing

Vulnerability

Patched

A null pointer dereference vulnerability has been identified in Mbed TLS versions 3.5.0 prior to 3.6.5 and in the 4.x series through 4.0.0. The issue arises during distinguished name parsing, where an attacker can exploit a memory allocation failure to cause a null pointer to be used as a destination address in a memory copy operation. This vulnerability can lead to a segmentation fault on platforms with memory protection or, on microcontrollers, allow arbitrary code execution by writing to an interrupt vector.

Impact

Exploitation of this vulnerability can cause a null pointer dereference, leading to a segmentation fault on protected systems or arbitrary code execution on unprotected ones.

Remediation

Users are advised to upgrade to Mbed TLS versions 3.6.6 or 4.1.0. For those maintaining a branch with backported bug fixes, relevant commits are available.

Added: Apr 1, 2026, 7:24 PM

Updated: Apr 1, 2026, 7:24 PM

Vulnerability Rating

Custom Algorithm

spread

8.6

impact

7.5

exploitability

7.7

remediation

7.9

relevance

4.9

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

8.6

impact

7.5

exploitability

7.7

remediation

7.9

relevance

4.9

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mbed TLS Null Pointer Dereference Vulnerability in Distinguished Name Parsing

Vulnerability

Impact

Remediation

Affected Products

Mbed TLS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating