CVE-2025-27810

EUVD-2025-14831
Mbed TLS before 2.28.10 and 3.x before 3.6.3, in some cases of failed memory allocation or hardware errors, uses uninitialized stack memory to compose the TLS Finished message, potentially leading to authentication bypasses such as replays.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.4 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
mitreCNA
5.4 MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 27%
Affected Products (NVD)
VendorProductVersion
armmbed_tls
𝑥
< 2.28.10
armmbed_tls
3.0.0 ≤
𝑥
< 3.6.3
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
mbedtls
bionic
needed
focal
needed
jammy
needed
noble
needed
oracular
ignored
plucky
ignored
questing
needed
xenial
needed
Common Weakness Enumeration
References
https://github.com/Mbed-TLS/mbedtls/releases
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-2/