MbedTLS
by Arm
Source repositories
CVEs (72)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-10932 | Med | 0.31 | 4.7 | 0.00 | Apr 15, 2020 | An issue was discovered in Arm Mbed TLS before 2.16.6 and 2.7.x before 2.7.15. An attacker that can get precise enough side-channel measurements can recover the long-term ECDSA private key by (1) reconstructing the projective coordinate of the result of scalar multiplication by… | ||
| CVE-2018-19608 | Med | 0.31 | 4.7 | 0.00 | Dec 5, 2018 | Arm Mbed TLS before 2.14.1, before 2.7.8, and before 2.1.17 allows a local unprivileged attacker to recover the plaintext of RSA decryption, which is used in RSA-without-(EC)DH(E) cipher suites. | ||
| CVE-2018-0498 | Med | 0.31 | 4.7 | 0.00 | Jul 28, 2018 | ARM mbed TLS before 2.12.0, before 2.7.5, and before 2.1.14 allows local users to achieve partial plaintext recovery (for a CBC based ciphersuite) via a cache-based side-channel attack. | ||
| CVE-2024-23170 | Med | 0.29 | 5.5 | 0.00 | Jan 31, 2024 | An issue was discovered in Mbed TLS 2.x before 2.28.7 and 3.x before 3.5.2. There was a timing side channel in RSA private operations. This side channel could be sufficient for a local attacker to recover the plaintext. It requires the attacker to send a large number of messages… | ||
| CVE-2025-27809 | Med | 0.28 | 5.4 | 0.00 | Mar 25, 2025 | Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted certificates for arbitrary hostnames unless the TLS client application calls mbedtls_ssl_set_hostname. | ||
| CVE-2019-16910 | Med | 0.28 | 5.3 | 0.02 | Sep 26, 2019 | Arm Mbed TLS before 2.19.0 and Arm Mbed Crypto before 2.0.0, when deterministic ECDSA is enabled, use an RNG with insufficient entropy for blinding, which might allow an attacker to recover a private key via side-channel attacks if a victim signs the same message many times.… | ||
| CVE-2025-49087 | Med | 0.26 | 4.0 | 0.00 | Jul 20, 2025 | In Mbed TLS 3.6.1 through 3.6.3 before 3.6.4, a timing discrepancy in block cipher padding removal allows an attacker to recover the plaintext when PKCS#7 padding mode is used. | ||
| CVE-2025-47917 | 0.04 | — | 0.02 | Jul 20, 2025 | Mbed TLS before 3.6.4 allows a use-after-free in certain situations of applications that are developed in accordance with the documentation. The function mbedtls_x509_string_to_names() takes a head argument that is documented as an output argument. The documentation does not… | |||
| CVE-2025-59438 | 0.00 | — | 0.00 | Oct 21, 2025 | Mbed TLS through 3.6.4 has an Observable Timing Discrepancy. | |||
| CVE-2025-54764 | 0.00 | — | 0.00 | Oct 20, 2025 | Mbed TLS before 3.6.5 allows a local timing attack against certain RSA operations, and direct calls to mbedtls_mpi_mod_inv or mbedtls_mpi_gcd. | |||
| CVE-2025-48965 | 0.00 | — | 0.00 | Jul 20, 2025 | Mbed TLS before 3.6.4 has a NULL pointer dereference because mbedtls_asn1_store_named_data can trigger conflicting data with val.p of NULL but val.len greater than zero. | |||
| CVE-2025-52496 | 0.00 | — | 0.00 | Jul 4, 2025 | Mbed TLS before 3.6.4 has a race condition in AESNI detection if certain compiler optimizations occur. An attacker may be able to extract an AES key from a multithreaded program, or perform a GCM forgery. | |||
| CVE-2025-52497 | 0.00 | — | 0.00 | Jul 4, 2025 | Mbed TLS before 3.6.4 has a PEM parsing one-byte heap-based buffer underflow, in mbedtls_pem_read_buffer and two mbedtls_pk_parse functions, via untrusted PEM input. | |||
| CVE-2023-52353 | 0.00 | — | 0.00 | Jan 21, 2024 | An issue was discovered in Mbed TLS through 3.5.1. In mbedtls_ssl_session_reset, the maximum negotiable TLS version is mishandled. For example, if the last connection negotiated TLS 1.2, then 1.2 becomes the new maximum. | |||
| CVE-2021-43666 | 0.00 | — | 0.02 | Mar 24, 2022 | A Denial of Service vulnerability exists in mbed TLS 3.0.0 and earlier in the mbedtls_pkcs12_derivation function when an input password's length is 0. | |||
| CVE-2020-36476 | 0.00 | — | 0.02 | Aug 23, 2021 | An issue was discovered in Mbed TLS before 2.24.0 (and before 2.16.8 LTS and before 2.7.17 LTS). There is missing zeroization of plaintext buffers in mbedtls_ssl_read to erase unused application data from memory. | |||
| CVE-2020-36477 | 0.00 | — | 0.01 | Aug 23, 2021 | An issue was discovered in Mbed TLS before 2.24.0. The verification of X.509 certificates when matching the expected common name (the cn argument of mbedtls_x509_crt_verify) with the actual certificate name is mishandled: when the subjecAltName extension is present, the expected… | |||
| CVE-2020-36478 | 0.00 | — | 0.01 | Aug 23, 2021 | An issue was discovered in Mbed TLS before 2.25.0 (and before 2.16.9 LTS and before 2.7.18 LTS). A NULL algorithm parameters entry looks identical to an array of REAL (size zero) and thus the certificate is considered valid. However, if the parameters do not match in any way,… | |||
| CVE-2020-36475 | 0.00 | — | 0.02 | Aug 23, 2021 | An issue was discovered in Mbed TLS before 2.25.0 (and before 2.16.9 LTS and before 2.7.18 LTS). The calculations performed by mbedtls_mpi_exp_mod are not limited; thus, supplying overly large parameters could lead to denial of service when generating Diffie-Hellman key pairs. | |||
| CVE-2020-36421 | 0.00 | — | 0.02 | Jul 19, 2021 | An issue was discovered in Arm Mbed TLS before 2.23.0. Because of a side channel in modular exponentiation, an RSA private key used in a secure enclave could be disclosed. |
- risk 0.31cvss 4.7epss 0.00
An issue was discovered in Arm Mbed TLS before 2.16.6 and 2.7.x before 2.7.15. An attacker that can get precise enough side-channel measurements can recover the long-term ECDSA private key by (1) reconstructing the projective coordinate of the result of scalar multiplication by…
- risk 0.31cvss 4.7epss 0.00
Arm Mbed TLS before 2.14.1, before 2.7.8, and before 2.1.17 allows a local unprivileged attacker to recover the plaintext of RSA decryption, which is used in RSA-without-(EC)DH(E) cipher suites.
- risk 0.31cvss 4.7epss 0.00
ARM mbed TLS before 2.12.0, before 2.7.5, and before 2.1.14 allows local users to achieve partial plaintext recovery (for a CBC based ciphersuite) via a cache-based side-channel attack.
- risk 0.29cvss 5.5epss 0.00
An issue was discovered in Mbed TLS 2.x before 2.28.7 and 3.x before 3.5.2. There was a timing side channel in RSA private operations. This side channel could be sufficient for a local attacker to recover the plaintext. It requires the attacker to send a large number of messages…
- risk 0.28cvss 5.4epss 0.00
Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted certificates for arbitrary hostnames unless the TLS client application calls mbedtls_ssl_set_hostname.
- risk 0.28cvss 5.3epss 0.02
Arm Mbed TLS before 2.19.0 and Arm Mbed Crypto before 2.0.0, when deterministic ECDSA is enabled, use an RNG with insufficient entropy for blinding, which might allow an attacker to recover a private key via side-channel attacks if a victim signs the same message many times.…
- risk 0.26cvss 4.0epss 0.00
In Mbed TLS 3.6.1 through 3.6.3 before 3.6.4, a timing discrepancy in block cipher padding removal allows an attacker to recover the plaintext when PKCS#7 padding mode is used.
- CVE-2025-47917Jul 20, 2025risk 0.04cvss —epss 0.02
Mbed TLS before 3.6.4 allows a use-after-free in certain situations of applications that are developed in accordance with the documentation. The function mbedtls_x509_string_to_names() takes a head argument that is documented as an output argument. The documentation does not…
- CVE-2025-59438Oct 21, 2025risk 0.00cvss —epss 0.00
Mbed TLS through 3.6.4 has an Observable Timing Discrepancy.
- CVE-2025-54764Oct 20, 2025risk 0.00cvss —epss 0.00
Mbed TLS before 3.6.5 allows a local timing attack against certain RSA operations, and direct calls to mbedtls_mpi_mod_inv or mbedtls_mpi_gcd.
- CVE-2025-48965Jul 20, 2025risk 0.00cvss —epss 0.00
Mbed TLS before 3.6.4 has a NULL pointer dereference because mbedtls_asn1_store_named_data can trigger conflicting data with val.p of NULL but val.len greater than zero.
- CVE-2025-52496Jul 4, 2025risk 0.00cvss —epss 0.00
Mbed TLS before 3.6.4 has a race condition in AESNI detection if certain compiler optimizations occur. An attacker may be able to extract an AES key from a multithreaded program, or perform a GCM forgery.
- CVE-2025-52497Jul 4, 2025risk 0.00cvss —epss 0.00
Mbed TLS before 3.6.4 has a PEM parsing one-byte heap-based buffer underflow, in mbedtls_pem_read_buffer and two mbedtls_pk_parse functions, via untrusted PEM input.
- CVE-2023-52353Jan 21, 2024risk 0.00cvss —epss 0.00
An issue was discovered in Mbed TLS through 3.5.1. In mbedtls_ssl_session_reset, the maximum negotiable TLS version is mishandled. For example, if the last connection negotiated TLS 1.2, then 1.2 becomes the new maximum.
- CVE-2021-43666Mar 24, 2022risk 0.00cvss —epss 0.02
A Denial of Service vulnerability exists in mbed TLS 3.0.0 and earlier in the mbedtls_pkcs12_derivation function when an input password's length is 0.
- CVE-2020-36476Aug 23, 2021risk 0.00cvss —epss 0.02
An issue was discovered in Mbed TLS before 2.24.0 (and before 2.16.8 LTS and before 2.7.17 LTS). There is missing zeroization of plaintext buffers in mbedtls_ssl_read to erase unused application data from memory.
- CVE-2020-36477Aug 23, 2021risk 0.00cvss —epss 0.01
An issue was discovered in Mbed TLS before 2.24.0. The verification of X.509 certificates when matching the expected common name (the cn argument of mbedtls_x509_crt_verify) with the actual certificate name is mishandled: when the subjecAltName extension is present, the expected…
- CVE-2020-36478Aug 23, 2021risk 0.00cvss —epss 0.01
An issue was discovered in Mbed TLS before 2.25.0 (and before 2.16.9 LTS and before 2.7.18 LTS). A NULL algorithm parameters entry looks identical to an array of REAL (size zero) and thus the certificate is considered valid. However, if the parameters do not match in any way,…
- CVE-2020-36475Aug 23, 2021risk 0.00cvss —epss 0.02
An issue was discovered in Mbed TLS before 2.25.0 (and before 2.16.9 LTS and before 2.7.18 LTS). The calculations performed by mbedtls_mpi_exp_mod are not limited; thus, supplying overly large parameters could lead to denial of service when generating Diffie-Hellman key pairs.
- CVE-2020-36421Jul 19, 2021risk 0.00cvss —epss 0.02
An issue was discovered in Arm Mbed TLS before 2.23.0. Because of a side channel in modular exponentiation, an RSA private key used in a secure enclave could be disclosed.
Page 3 of 4