Skip to main content

CVE-2026-25833

| EUVDEUVD-2026-17997 HIGH
Stack-based Buffer Overflow (CWE-121)
2026-04-01 mitre GHSA-jr87-qch5-gjc6
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch released
Apr 10, 2026 - 08:30 nvd
Patch available
EUVD ID Assigned
Apr 01, 2026 - 19:00 euvd
EUVD-2026-17997
Analysis Generated
Apr 01, 2026 - 19:00 vuln.today
CVE Published
Apr 01, 2026 - 00:00 nvd
HIGH 7.5

DescriptionCVE.org

Mbed TLS 3.5.0 to 3.6.5 fixed in 3.6.6 and 4.1.0 has a buffer overflow in the x509_inet_pton_ipv6() function

AnalysisAI

Buffer overflow in Mbed TLS versions 3.5.0 through 3.6.5 allows remote attackers to cause a denial of service or potentially execute arbitrary code via crafted input to the x509_inet_pton_ipv6() function used in X.509 certificate parsing. The vulnerability is fixed in Mbed TLS 3.6.6 and 4.1.0. No public exploit code or confirmed active exploitation has been identified at the time of analysis.

Technical ContextAI

The vulnerability resides in the x509_inet_pton_ipv6() function, which is responsible for parsing IPv6 addresses within X.509 certificate processing. This function contains a buffer overflow condition, which is a classic memory safety vulnerability where data written to a buffer exceeds its allocated size. The affected versions span Mbed TLS 3.5.0 through 3.6.5, indicating the flaw was introduced or persisted across multiple minor releases before remediation. Buffer overflows in certificate parsing functions are particularly critical because X.509 validation is a fundamental operation in TLS/SSL implementations, affecting any system that processes untrusted certificates.

RemediationAI

Upgrade to Mbed TLS 3.6.6 or later (4.1.0 is also available as a newer major release). Organizations unable to upgrade immediately should review their certificate processing pipeline to determine whether untrusted X.509 certificates are parsed by vulnerable code paths. In some deployments, certificate validation may occur in a sandboxed or network-isolated context that reduces exposure. The official Mbed TLS security advisory at https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-inet-pton/ provides additional context and should be consulted for product-specific guidance. Vendors shipping Mbed TLS as a dependency should release patched versions as soon as feasible.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.2 Fixed

Share

CVE-2026-25833 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy