VYPR

MbedTLS

by Arm

Source repositories

CVEs (72)

  • CVE-2020-10932MedApr 15, 2020
    risk 0.31cvss 4.7epss 0.00

    An issue was discovered in Arm Mbed TLS before 2.16.6 and 2.7.x before 2.7.15. An attacker that can get precise enough side-channel measurements can recover the long-term ECDSA private key by (1) reconstructing the projective coordinate of the result of scalar multiplication by…

  • CVE-2018-19608MedDec 5, 2018
    risk 0.31cvss 4.7epss 0.00

    Arm Mbed TLS before 2.14.1, before 2.7.8, and before 2.1.17 allows a local unprivileged attacker to recover the plaintext of RSA decryption, which is used in RSA-without-(EC)DH(E) cipher suites.

  • CVE-2018-0498MedJul 28, 2018
    risk 0.31cvss 4.7epss 0.00

    ARM mbed TLS before 2.12.0, before 2.7.5, and before 2.1.14 allows local users to achieve partial plaintext recovery (for a CBC based ciphersuite) via a cache-based side-channel attack.

  • CVE-2024-23170MedJan 31, 2024
    risk 0.29cvss 5.5epss 0.00

    An issue was discovered in Mbed TLS 2.x before 2.28.7 and 3.x before 3.5.2. There was a timing side channel in RSA private operations. This side channel could be sufficient for a local attacker to recover the plaintext. It requires the attacker to send a large number of messages…

  • CVE-2025-27809MedMar 25, 2025
    risk 0.28cvss 5.4epss 0.00

    Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted certificates for arbitrary hostnames unless the TLS client application calls mbedtls_ssl_set_hostname.

  • CVE-2019-16910MedSep 26, 2019
    risk 0.28cvss 5.3epss 0.02

    Arm Mbed TLS before 2.19.0 and Arm Mbed Crypto before 2.0.0, when deterministic ECDSA is enabled, use an RNG with insufficient entropy for blinding, which might allow an attacker to recover a private key via side-channel attacks if a victim signs the same message many times.…

  • CVE-2025-49087MedJul 20, 2025
    risk 0.26cvss 4.0epss 0.00

    In Mbed TLS 3.6.1 through 3.6.3 before 3.6.4, a timing discrepancy in block cipher padding removal allows an attacker to recover the plaintext when PKCS#7 padding mode is used.

  • CVE-2025-47917Jul 20, 2025
    risk 0.04cvss epss 0.02

    Mbed TLS before 3.6.4 allows a use-after-free in certain situations of applications that are developed in accordance with the documentation. The function mbedtls_x509_string_to_names() takes a head argument that is documented as an output argument. The documentation does not…

  • CVE-2025-59438Oct 21, 2025
    risk 0.00cvss epss 0.00

    Mbed TLS through 3.6.4 has an Observable Timing Discrepancy.

  • CVE-2025-54764Oct 20, 2025
    risk 0.00cvss epss 0.00

    Mbed TLS before 3.6.5 allows a local timing attack against certain RSA operations, and direct calls to mbedtls_mpi_mod_inv or mbedtls_mpi_gcd.

  • CVE-2025-48965Jul 20, 2025
    risk 0.00cvss epss 0.00

    Mbed TLS before 3.6.4 has a NULL pointer dereference because mbedtls_asn1_store_named_data can trigger conflicting data with val.p of NULL but val.len greater than zero.

  • CVE-2025-52496Jul 4, 2025
    risk 0.00cvss epss 0.00

    Mbed TLS before 3.6.4 has a race condition in AESNI detection if certain compiler optimizations occur. An attacker may be able to extract an AES key from a multithreaded program, or perform a GCM forgery.

  • CVE-2025-52497Jul 4, 2025
    risk 0.00cvss epss 0.00

    Mbed TLS before 3.6.4 has a PEM parsing one-byte heap-based buffer underflow, in mbedtls_pem_read_buffer and two mbedtls_pk_parse functions, via untrusted PEM input.

  • CVE-2023-52353Jan 21, 2024
    risk 0.00cvss epss 0.00

    An issue was discovered in Mbed TLS through 3.5.1. In mbedtls_ssl_session_reset, the maximum negotiable TLS version is mishandled. For example, if the last connection negotiated TLS 1.2, then 1.2 becomes the new maximum.

  • CVE-2021-43666Mar 24, 2022
    risk 0.00cvss epss 0.02

    A Denial of Service vulnerability exists in mbed TLS 3.0.0 and earlier in the mbedtls_pkcs12_derivation function when an input password's length is 0.

  • CVE-2020-36476Aug 23, 2021
    risk 0.00cvss epss 0.02

    An issue was discovered in Mbed TLS before 2.24.0 (and before 2.16.8 LTS and before 2.7.17 LTS). There is missing zeroization of plaintext buffers in mbedtls_ssl_read to erase unused application data from memory.

  • CVE-2020-36477Aug 23, 2021
    risk 0.00cvss epss 0.01

    An issue was discovered in Mbed TLS before 2.24.0. The verification of X.509 certificates when matching the expected common name (the cn argument of mbedtls_x509_crt_verify) with the actual certificate name is mishandled: when the subjecAltName extension is present, the expected…

  • CVE-2020-36478Aug 23, 2021
    risk 0.00cvss epss 0.01

    An issue was discovered in Mbed TLS before 2.25.0 (and before 2.16.9 LTS and before 2.7.18 LTS). A NULL algorithm parameters entry looks identical to an array of REAL (size zero) and thus the certificate is considered valid. However, if the parameters do not match in any way,…

  • CVE-2020-36475Aug 23, 2021
    risk 0.00cvss epss 0.02

    An issue was discovered in Mbed TLS before 2.25.0 (and before 2.16.9 LTS and before 2.7.18 LTS). The calculations performed by mbedtls_mpi_exp_mod are not limited; thus, supplying overly large parameters could lead to denial of service when generating Diffie-Hellman key pairs.

  • CVE-2020-36421Jul 19, 2021
    risk 0.00cvss epss 0.02

    An issue was discovered in Arm Mbed TLS before 2.23.0. Because of a side channel in modular exponentiation, an RSA private key used in a secure enclave could be disclosed.