CVE-2021-44732
Description
A double-free vulnerability in Mbed TLS before 3.0.1 occurs when memory allocation fails during session handling.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A double-free vulnerability in Mbed TLS before 3.0.1 occurs when memory allocation fails during session handling.
Vulnerability
A double-free vulnerability exists in Mbed TLS versions prior to 3.0.1. The bug is triggered in out-of-memory conditions when mbedtls_ssl_set_session() or mbedtls_ssl_get_session() fails with MBEDTLS_ERR_SSL_ALLOC_FAILED. Under such conditions, an internal session buffer is freed twice: once during the failed function and again when mbedtls_ssl_session_free() or mbedtls_ssl_free() is subsequently called [4].
Exploitation
An attacker does not need special network access or authentication to trigger the vulnerable code path. The double-free is triggered purely by exhausting memory on the target system, causing a memory allocation failure in the session handling functions. The attacker must be able to cause the system to run low on memory, possibly by initiating multiple connections or exploiting other resource exhaustion vectors. No user interaction beyond normal TLS session operations is required.
Impact
A successful double-free can lead to memory corruption, potentially allowing an attacker to corrupt heap data, cause a denial of service (application crash), or in some cases achieve arbitrary code execution. The exact impact depends on the heap allocator and the state of the memory manager at the time of the double-free. The vulnerability affects the confidentiality, integrity, and availability of the system.
Mitigation
The issue is fixed in Mbed TLS 3.0.1 and later versions [1][2][3][4]. Users should upgrade to 3.0.1 or any subsequent release. For those unable to upgrade, no official workaround is provided; the only mitigation is to ensure sufficient memory is available to avoid allocation failures. The affected versions include all releases before 3.0.1 [4]. The fix is also included in the 2.16.12 (the last release of the 2.16 branch), 2.28.0, and 3.1.0 releases [2][3][4].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Mbed/Mbed TLSdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Double free in mbedtls_ssl_set_session() when memory allocation fails."
Attack vector
An attacker can trigger the double free by inducing memory exhaustion on the target system, causing `mbedtls_ssl_set_session()` to fail. Because the vulnerability is reachable over the network (CVSS:3.1/AV:N) without authentication (PR:N), a remote attacker who can force the TLS library into an out-of-memory state during session setup can exploit this flaw [CWE-415]. The advisory does not detail a specific payload shape beyond the memory-pressure precondition.
Affected code
The vulnerability affects Mbed TLS versions before 3.0.1. The double free occurs in the TLS session handling code when `mbedtls_ssl_set_session()` fails under out-of-memory conditions. The advisory does not specify the exact function or file path beyond the API name.
What the fix does
The fix was released in Mbed TLS 3.0.1. The patch corrects the memory management in the session-set code path so that when `mbedtls_ssl_set_session()` fails due to an allocation failure, the session data is not freed twice. The advisory does not include the actual diff, but the release notes state that the double free is eliminated by ensuring proper cleanup ordering in the error path.
Preconditions
- inputThe target system must be placed in an out-of-memory condition so that mbedtls_ssl_set_session() fails during a TLS session setup attempt.
- networkThe attacker must be able to initiate a TLS handshake with the target (network reachability).
Generated on Jun 13, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-12nvdExploitMitigationThird Party Advisory
- bugs.gentoo.org/829660nvdIssue TrackingMailing ListThird Party Advisory
- lists.debian.org/debian-lts-announce/2022/12/msg00036.htmlnvdMailing ListThird Party Advisory
- github.com/ARMmbed/mbedtls/releasesnvdRelease Notes
- github.com/ARMmbed/mbedtls/releases/tag/v2.16.12nvdRelease Notes
- github.com/ARMmbed/mbedtls/releases/tag/v2.28.0nvdRelease Notes
- github.com/ARMmbed/mbedtls/releases/tag/v3.1.0nvdRelease Notes
- lists.debian.org/debian-lts-announce/2025/06/msg00034.htmlnvd
News mentions
0No linked articles in our index yet.