CVE-2026-34877

EUVD-2026-18394
An issue was discovered in Mbed TLS versions from 2.19.0 up to 3.6.5, Mbed TLS 4.0.0. Insufficient protection of serialized SSL context or session structures allows an attacker who can modify the serialized structures to induce memory corruption, leading to arbitrary code execution. This is caused by Incorrect Use of Privileged APIs.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 44%
Affected Products (NVD)
VendorProductVersion
armmbed_tls
2.19.0 ≤
𝑥
< 3.6.6
armmbed_tls
4.0.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
mbedtls
bookworm
unimportant
bullseye
2.16.9-0.1
fixed
bullseye (security)
2.16.9-0.1+deb11u4
fixed
forky
unimportant
sid
unimportant
trixie
unimportant
Common Weakness Enumeration
References
https://mbed-tls.readthedocs.io/en/latest/security-advisories/
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-serialized-data/