CVE-2026-34877
Received Received - Intake
Memory Corruption in Mbed TLS SSL Context Enables Code Execution

Publication date: 2026-04-02

Last updated on: 2026-04-06

Assigner: MITRE

Description
An issue was discovered in Mbed TLS versions from 2.19.0 up to 3.6.5, Mbed TLS 4.0.0. Insufficient protection of serialized SSL context or session structures allows an attacker who can modify the serialized structures to induce memory corruption, leading to arbitrary code execution. This is caused by Incorrect Use of Privileged APIs.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-02
Last Modified
2026-04-06
Generated
2026-05-07
AI Q&A
2026-04-02
EPSS Evaluated
2026-05-05
NVD
CVE-2026-34877
EUVD
EUVD-2026-18394
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
arm mbed_tls 4.0.0
arm mbed_tls From 2.19.0 (inc) to 3.6.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
CWE-250 The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-34877 is a vulnerability in Mbed TLS versions from 2.19.0 up to 3.6.5 and version 4.0.0, caused by insufficient protection of serialized SSL context or session structures.

This weakness allows an attacker who can modify these serialized structures to induce memory corruption, which can lead to arbitrary code execution.

The root cause is the incorrect use of privileged APIs that handle these serialized data structures.


How can this vulnerability impact me? :

This vulnerability can have serious impacts including memory corruption and arbitrary code execution if an attacker is able to modify serialized SSL session or context data.

Such impacts can compromise the security and stability of applications using affected versions of Mbed TLS, potentially allowing attackers to execute malicious code.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability arises from insufficient protection of serialized SSL context or session structures in affected Mbed TLS versions. Immediate mitigation involves ensuring that serialized session or context data is adequately safeguarded to prevent memory corruption.

Although specific mitigation steps or commands are not detailed in the provided resources, it is recommended to update Mbed TLS to a version where this issue is resolved or apply any available workarounds mentioned in the official Mbed TLS security advisories.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart