CVE-2026-34874
NULL Pointer Dereference in Mbed TLS Distinguished Name Parsing
Publication date: 2026-04-01
Last updated on: 2026-04-03
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| arm | mbed_tls | From 3.5.0 (inc) to 3.6.6 (exc) |
| arm | mbed_tls | 4.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2026-34874 vulnerability in Mbed TLS involves a null pointer dereference that occurs during the parsing of distinguished names in X.509 certificate processing. This happens because the software improperly handles null pointers when assigning or manipulating distinguished names, which can cause the application to attempt to write to address 0.
This improper handling can lead to application crashes or denial of service if an attacker exploits this flaw.
How can this vulnerability impact me? :
Exploitation of this vulnerability can cause the affected application using Mbed TLS to crash or become unavailable, resulting in a denial of service condition.
This can disrupt services relying on secure communications or certificate validation, potentially impacting system availability and reliability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-34874 vulnerability in Mbed TLS, it is important to apply the provided fixes that address the null pointer dereference issue in distinguished name parsing.
The advisory emphasizes updating to a fixed version of Mbed TLS beyond 3.6.5 or 4.0.0 where the issue has been resolved.
Applying these fixes will prevent application crashes or denial of service caused by exploitation of this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-34874 vulnerability in Mbed TLS causes a null pointer dereference that can lead to application crashes or denial of service. While this impacts the availability aspect of security, there is no direct information provided about how this vulnerability affects compliance with standards such as GDPR or HIPAA.
Since the vulnerability does not involve confidentiality or integrity breaches but results in denial of service, its impact on compliance with regulations that emphasize data protection and availability is indirect and not explicitly detailed in the provided resources.