Skip to main content

Mbed TLS CVE-2026-34873

| EUVDEUVD-2026-18064 CRITICAL
Improper Authentication (CWE-287)
2026-04-01 mitre
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
SUSE
CRITICAL
qualitative
Red Hat
10.0 CRITICAL
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 01, 2026 - 21:00 euvd
EUVD-2026-18064
Analysis Generated
Apr 01, 2026 - 21:00 vuln.today
CVE Published
Apr 01, 2026 - 00:00 nvd
CRITICAL 9.1

DescriptionCVE.org

An issue was discovered in Mbed TLS 3.5.0 through 4.0.0. Client impersonation can occur while resuming a TLS 1.3 session.

AnalysisAI

Mbed TLS versions 3.5.0 through 4.0.0 allow client impersonation during TLS 1.3 session resumption, enabling an attacker to assume the identity of a legitimate client when reestablishing a previously negotiated session. The vulnerability affects the session resumption mechanism in TLS 1.3 and permits information disclosure; no CVSS score or exploit status data is currently available from public sources.

Technical ContextAI

Mbed TLS is a widely-used cryptographic library implementing TLS/SSL protocols. TLS 1.3 session resumption uses session tickets and PSK (Pre-Shared Key) mechanisms to allow clients to reconnect without full handshakes. The vulnerability resides in the session resumption logic between versions 3.5.0 and 4.0.0, where insufficient validation or binding of session identifiers permits an unauthenticated attacker to replay or forge session tickets to impersonate a legitimate client. This is a violation of the TLS 1.3 specification's session binding guarantees, likely related to improper cryptographic validation of session state or client identity markers during ticket decryption or PSK derivation.

RemediationAI

Upgrade Mbed TLS to a patched version released after 4.0.0 or to the latest stable release confirmed by the Mbed TLS project as containing the fix. Consult the official Mbed TLS security advisory at https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-client-impersonation-while-resuming-tls13-session/ for exact fix versions and release dates. If immediate patching is not feasible, disable TLS 1.3 session resumption on affected servers (via configuration) as a temporary workaround; however, this reduces performance and should not substitute for patching. Coordinate patching with firmware and dependency updates for embedded deployments.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-34873 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy