Skip to main content

Mbed TLS EUVDEUVD-2026-17993

| CVE-2026-34875 CRITICAL
Classic Buffer Overflow (CWE-120)
2026-04-01 mitre GHSA-g3pc-q77x-rjjp
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
9.8 CRITICAL
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Apr 01, 2026 - 18:15 euvd
EUVD-2026-17993
Analysis Generated
Apr 01, 2026 - 18:15 vuln.today
CVE Published
Apr 01, 2026 - 00:00 nvd
CRITICAL 9.8

DescriptionCVE.org

An issue was discovered in Mbed TLS through 3.6.5 and TF-PSA-Crypto 1.0.0. A buffer overflow can occur in public key export for FFDH keys.

AnalysisAI

Buffer overflow in Mbed TLS public key export functionality for Finite Field Diffie-Hellman (FFDH) keys affects versions through 3.6.5 and TF-PSA-Crypto 1.0.0. An attacker can trigger a memory corruption condition during FFDH public key export operations, potentially enabling code execution or denial of service depending on memory layout and application context. No public exploit code or active exploitation has been confirmed at time of analysis.

Technical ContextAI

Mbed TLS is a cryptographic library providing TLS/SSL and general-purpose cryptographic functions. TF-PSA-Crypto is a reference implementation of the Platform Security Architecture (PSA) Cryptography API specification. The vulnerability resides in the public key export mechanism for FFDH (Finite Field Diffie-Hellman) keys-a cryptographic algorithm used for key exchange. The buffer overflow likely occurs when serializing FFDH public key material into a fixed-size or improperly-validated buffer during the export process, allowing an attacker to write beyond allocated memory boundaries. Affected versions include Mbed TLS up to and including 3.6.5 and TF-PSA-Crypto 1.0.0, indicating the defect spans both the original library and the PSA-compliant reference implementation.

RemediationAI

Upgrade Mbed TLS to the patched version released after 3.6.5, and upgrade TF-PSA-Crypto to a version after 1.0.0. Exact fixed version numbers are not specified in the provided data; consult the official Mbed TLS security advisory at https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-ffdh-buffer-overflow/ for the definitive patch version and release date. As a temporary mitigation, applications should avoid FFDH key export operations or disable FFDH algorithm support if not required for their use case. Recompilation and redeployment of applications using Mbed TLS are required after patching.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
openSUSE Tumbleweed Fixed

Share

EUVD-2026-17993 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy