Description
ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has a buffer over-read in ssl_parse_server_key_exchange() that could cause a crash on invalid input.
References (5)
Core 5
Core References
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/09/msg00029.html
Patch, Third Party Advisory x_refsource_confirm
https://github.com/ARMmbed/mbedtls/commit/a1098f81c252b317ad34ea978aea2bc47760b215
Release Notes, Vendor Advisory x_refsource_confirm
https://tls.mbed.org/tech-updates/releases/mbedtls-2.8.0-2.7.2-and-2.1.11-released
Patch, Third Party Advisory x_refsource_confirm
https://github.com/ARMmbed/mbedtls/commit/027f84c69f4ef30c0693832a6c396ef19e563ca1
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/11/msg00021.html
Scores
CVSS v3
7.5
EPSS
0.0065
EPSS Percentile
71.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-125
Status
published
Products (4)
arm/mbed_tls
2.8.0 rc1
arm/mbed_tls
< 2.1.11
debian/debian_linux
8.0
debian/debian_linux
9.0
Published
Apr 10, 2018
Tracked Since
Feb 18, 2026