Unrated severityNVD Advisory· Published Nov 2, 2015· Updated Jun 17, 2026
CVE-2015-5291
CVE-2015-5291
Description
Heap-based buffer overflow in PolarSSL 1.x before 1.2.17 and ARM mbed TLS (formerly PolarSSL) 1.3.x before 1.3.14 and 2.x before 2.1.2 allows remote SSL servers to cause a denial of service (client crash) and possibly execute arbitrary code via a long hostname to the server name indication (SNI) extension, which is not properly handled when creating a ClientHello message. NOTE: this identifier has been SPLIT per ADT3 due to different affected version ranges. See CVE-2015-8036 for the session ticket issue that was introduced in 1.3.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
14cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*
- osv-coords3 versionspkg:rpm/opensuse/mbedtls-2&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/mbedtls-3&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/mbedtls&distro=openSUSE%20Tumbleweed
< 2.28.3-1.1+ 2 more
- (no CPE)range: < 2.28.3-1.1
- (no CPE)range: < 3.6.6-1.1
- (no CPE)range: < 2.4.0-1.2
Patches
Vulnerability mechanics
References
10- lists.fedoraproject.org/pipermail/package-announce/2015-November/170317.htmlnvdMailing ListThird Party Advisory
- lists.fedoraproject.org/pipermail/package-announce/2015-October/169625.htmlnvdMailing ListThird Party Advisory
- lists.fedoraproject.org/pipermail/package-announce/2015-October/169765.htmlnvdMailing ListThird Party Advisory
- lists.opensuse.org/opensuse-security-announce/2015-12/msg00013.htmlnvdMailing ListThird Party Advisory
- lists.opensuse.org/opensuse-updates/2015-12/msg00119.htmlnvdMailing ListThird Party Advisory
- www.debian.org/security/2016/dsa-3468nvdThird Party Advisory
- guidovranken.files.wordpress.com/2015/10/cve-2015-5291.pdfnvdThird Party Advisory
- guidovranken.wordpress.com/2015/10/07/cve-2015-5291/nvdThird Party Advisory
- security.gentoo.org/glsa/201706-18nvdThird Party Advisory
- tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01nvdVendor Advisory
News mentions
0No linked articles in our index yet.