CVE-2026-34877
Analyzed Analyzed - Analysis Complete
Memory Corruption in Mbed TLS SSL Context Enables Code Execution

Publication date: 2026-04-02

Last updated on: 2026-06-05

Assigner: MITRE

Description
An issue was discovered in Mbed TLS versions from 2.19.0 up to 3.6.5, Mbed TLS 4.0.0. Insufficient protection of serialized SSL context or session structures allows an attacker who can modify the serialized structures to induce memory corruption, leading to arbitrary code execution. This is caused by Incorrect Use of Privileged APIs.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-02
Last Modified
2026-06-05
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34877
EUVD
EUVD-2026-18394
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
trustedfirmware mbed_tls 4.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-250 The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-34877 is a vulnerability in Mbed TLS versions from 2.19.0 up to 3.6.5 and version 4.0.0, caused by insufficient protection of serialized SSL context or session structures.

This weakness allows an attacker who can modify these serialized structures to induce memory corruption, which can lead to arbitrary code execution.

The root cause is the incorrect use of privileged APIs that handle these serialized data structures.

Impact Analysis

This vulnerability can have serious impacts including memory corruption and arbitrary code execution if an attacker is able to modify serialized SSL session or context data.

Such impacts can compromise the security and stability of applications using affected versions of Mbed TLS, potentially allowing attackers to execute malicious code.

Mitigation Strategies

The vulnerability arises from insufficient protection of serialized SSL context or session structures in affected Mbed TLS versions. Immediate mitigation involves ensuring that serialized session or context data is adequately safeguarded to prevent memory corruption.

Although specific mitigation steps or commands are not detailed in the provided resources, it is recommended to update Mbed TLS to a version where this issue is resolved or apply any available workarounds mentioned in the official Mbed TLS security advisories.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34877. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart