CVE-2025-27810

EUVD-2025-14831
Mbed TLS before 2.28.10 and 3.x before 3.6.3, in some cases of failed memory allocation or hardware errors, uses uninitialized stack memory to compose the TLS Finished message, potentially leading to authentication bypasses such as replays.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.4 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
armmbed_tls
𝑥
< 2.28.10
armmbed_tls
3.0.0 ≤
𝑥
< 3.6.3
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
mbedtls
bionic
Fixed 2.8.0-1ubuntu0.1~esm1
released
focal
Fixed 2.16.4-1ubuntu2+esm1
released
jammy
Fixed 2.28.0-1ubuntu0.1~esm1
released
noble
Fixed 2.28.8-1ubuntu0.1~esm1
released
oracular
ignored
plucky
ignored
questing
needed
xenial
needed
Common Weakness Enumeration
References
https://github.com/Mbed-TLS/mbedtls/releases
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-2/