CVE-2024-45157
Description
Mbed TLS PSA subsystem ignores user-selected HMAC_DRBG configuration, using CTR_DRBG instead, weakening side-channel resistance.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mbed TLS PSA subsystem ignores user-selected HMAC_DRBG configuration, using CTR_DRBG instead, weakening side-channel resistance.
Vulnerability
In Mbed TLS versions from 2.26.0 to 2.28.8 and 3.x before 3.6.1, the configuration option MBEDTLS_PSA_HMAC_DRBG_MD_TYPE, intended to select HMAC_DRBG as the pseudorandom generator in the PSA subsystem, is not honored. Instead, CTR_DRBG is used when MBEDTLS_CTR_DRBG_C is enabled, regardless of this setting [2]. This affects the PSA cryptography subsystem's random number generation.
Exploitation
No user interaction is required; the vulnerability is present at compile time. An attacker with the ability to observe side channels (e.g., timing or power) could exploit the weaker side-channel resistance of CTR_DRBG compared to HMAC_DRBG [2]. The attacker would need to be in a position to perform side-channel analysis on the device running Mbed TLS.
Impact
The use of CTR_DRBG instead of HMAC_DRBG may reduce resistance against timing and power side-channel attacks, potentially allowing an attacker to recover sensitive information such as cryptographic keys [2]. The risk is considered low.
Mitigation
Upgrade to Mbed TLS 2.28.9 or 3.6.1, where the documentation is corrected (but behavior unchanged) [1][2]. Alternatively, as a workaround, disable MBEDTLS_CTR_DRBG_C at compile time to force HMAC_DRBG to be used [2].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Mbed TLS/Mbed TLSdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The PSA subsystem incorrectly defaults to CTR_DRBG instead of HMAC_DRBG when specific configurations are enabled."
Attack vector
An attacker can trigger this vulnerability by enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE. This configuration does not result in the PSA subsystem using HMAC_DRBG as expected. Instead, HMAC_DRBG is only utilized when MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled, leading to an unintended fallback.
Affected code
The vulnerability lies within the PSA subsystem's random number generator (DRBG) implementation. Specifically, the logic governing the selection between HMAC_DRBG and CTR_DRBG is flawed when MBEDTLS_PSA_HMAC_DRBG_MD_TYPE is enabled.
What the fix does
The advisory indicates that Mbed TLS versions before 2.28.9 and 3.x before 3.6.1 are affected. The fix involves updating to these patched versions. The advisory does not provide specific details on the code changes, but the resolution implies a correction in the logic that determines the DRBG algorithm selection within the PSA subsystem.
Preconditions
- configThe configuration MBEDTLS_PSA_HMAC_DRBG_MD_TYPE must be enabled.
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- mbed-tls.readthedocs.io/en/latest/security-advisories/nvdVendor Advisory
- mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-08-1/nvdVendor Advisory
- github.com/Mbed-TLS/mbedtls/releases/nvdRelease Notes
News mentions
0No linked articles in our index yet.