Skip to main content

Mbed TLS CVE-2026-34874

| EUVDEUVD-2026-18003 HIGH
NULL Pointer Dereference (CWE-476)
2026-04-01 mitre GHSA-5jpv-5p2x-4fwv
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Apr 01, 2026 - 19:00 euvd
EUVD-2026-18003
Analysis Generated
Apr 01, 2026 - 19:00 vuln.today
CVE Published
Apr 01, 2026 - 00:00 nvd
HIGH 7.5

DescriptionCVE.org

An issue was discovered in Mbed TLS through 3.6.5 and 4.x through 4.0.0. There is a NULL pointer dereference in distinguished name parsing that allows an attacker to write to address 0.

AnalysisAI

NULL pointer dereference in Mbed TLS distinguished name (X.509) parsing allows remote attackers to trigger a denial of service by writing to address 0, affecting Mbed TLS versions 3.6.5 and earlier, and 4.0.0. The vulnerability is reachable during X.509 certificate processing and does not require authentication. No public exploit code or active exploitation has been confirmed at the time of analysis.

Technical ContextAI

The vulnerability exists in the X.509 certificate distinguished name parsing logic within Mbed TLS, a widely-used open-source cryptographic library. Distinguished names are hierarchical identifiers embedded in X.509 digital certificates and are parsed during certificate validation workflows. The NULL pointer dereference occurs when the parser attempts to dereference an uninitialized or improperly validated pointer during DN processing. This type of flaw falls under improper pointer validation and memory safety issues common in C-based cryptographic libraries. The affected functionality is core to TLS handshake processing, where certificates are validated before secure connections are established.

RemediationAI

Upgrade Mbed TLS to a patched version released after the advisory publication. Consult the Arm Mbed TLS security advisory at https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-null-pointer-dereference-x509/ for the exact recommended upgrade version for your branch (3.x or 4.x). If immediate patching is not feasible, restrict or validate certificate sources to prevent injection of malformed distinguished names, and implement certificate pinning where applicable. Monitor for application crashes during TLS handshake as an early indicator of exploitation attempts. Test patches in a staging environment before production deployment due to the security-critical nature of cryptographic library updates.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.2 Fixed

Share

CVE-2026-34874 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy