CVE-2025-27810

Vulnerability

In Mbed TLS before 2.28.10 and 3.x before 3.6.3, when a memory allocation fails or a cryptographic hardware driver returns an error at a specific point during the TLS handshake, the Finished message is incorrectly computed using uninitialized stack memory [2]. This affects all versions of Mbed TLS up to 2.28.9 and 3.x up to 3.6.2 [2]. The Finished message is critical to ensure that the handshake has not been tampered with by an attacker [2].

Exploitation

An attacker must be able to trigger memory allocation failures or cryptographic hardware failures at the precise moment during the handshake when the Finished message is being composed [2]. No special network position beyond a man-in-the-middle capability is required if the attacker can induce the necessary failure condition. The attacker could exploit this by causing the system to run out of memory or by manipulating a hardware driver to return an error [2].

Impact

Successful exploitation breaks the security guarantees of the TLS handshake. An attacker can tamper with the handshake via a man-in-the-middle attack or replay handshake messages to impersonate a legitimate peer [2]. This leads to authentication bypass, as the Finished message no longer validates the integrity of the handshake [2]. The severity is rated MEDIUM under CVSS [2].

Mitigation

Affected users should upgrade to Mbed TLS 2.28.10 or Mbed TLS 3.6.3, released on 24 March 2025 [2]. As a workaround, ensure that sufficient memory is available before performing a handshake and that any cryptographic hardware drivers used for hash functions cannot return errors [2]. The issue is fixed in the corresponding releases [2].