CVE-2020-36476

HIGH

Mbed TLS <2.24.0 - Memory Corruption

Title source: llm

Description

An issue was discovered in Mbed TLS before 2.24.0 (and before 2.16.8 LTS and before 2.7.17 LTS). There is missing zeroization of plaintext buffers in mbedtls_ssl_read to erase unused application data from memory.

References (5)

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2021/11/msg00021.html

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html

[Release Notes, Third Party Advisory] https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.8

[Release Notes, Third Party Advisory] https://github.com/ARMmbed/mbedtls/releases/tag/v2.24.0

[Release Notes, Third Party Advisory] https://github.com/ARMmbed/mbedtls/releases/tag/v2.7.17

Scores

CVSS v3 7.5

EPSS 0.0068

EPSS Percentile 71.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-212

Status published

Products (3)

arm/mbed_tls < 2.7.17

debian/debian_linux 9.0

debian/debian_linux 10.0

Published Aug 23, 2021

Tracked Since Feb 18, 2026