CVE-2026-34877

CRITICAL

Mbed TLS 2.19.0-3.6.5, 4.0.0 - Memory Corruption

Title source: llm

Description

An issue was discovered in Mbed TLS versions from 2.19.0 up to 3.6.5, Mbed TLS 4.0.0. Insufficient protection of serialized SSL context or session structures allows an attacker who can modify the serialized structures to induce memory corruption, leading to arbitrary code execution. This is caused by Incorrect Use of Privileged APIs.

References (2)

https://mbed-tls.readthedocs.io/en/latest/security-advisories/

https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-serialized-data/

Scores

CVSS v3 9.8

EPSS 0.0020

EPSS Percentile 42.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-250 CWE-502

Status published

Products (2)

arm/mbed_tls 4.0.0

arm/mbed_tls 2.19.0 - 3.6.6

Published Apr 02, 2026

Tracked Since Apr 02, 2026