Skip to main content

Mbed Tls EUVDEUVD-2026-18394

| CVE-2026-34877 CRITICAL
Execution with Unnecessary Privileges (CWE-250)
2026-04-02 cve@mitre.org
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Apr 02, 2026 - 17:22 euvd
EUVD-2026-18394
Analysis Generated
Apr 02, 2026 - 17:22 vuln.today
CVE Published
Apr 02, 2026 - 17:16 nvd
CRITICAL 9.8

DescriptionCVE.org

An issue was discovered in Mbed TLS versions from 2.19.0 up to 3.6.5, Mbed TLS 4.0.0. Insufficient protection of serialized SSL context or session structures allows an attacker who can modify the serialized structures to induce memory corruption, leading to arbitrary code execution. This is caused by Incorrect Use of Privileged APIs.

AnalysisAI

Mbed TLS versions 2.19.0 through 3.6.5 and 4.0.0 allow remote code execution through memory corruption when attackers modify serialized SSL context or session structures. The vulnerability stems from insufficient validation of deserialized data, enabling arbitrary code execution on systems using affected versions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Intercept serialized SSL context or session data
Exploit
Modify serialized structure without authentication
Execution
Trigger memory corruption during deserialization
Impact
Execute arbitrary code in application context

Vulnerability AssessmentAI

Exploitation Attacker must have ability to modify serialized SSL context or session structures in Mbed TLS 2.19.0-3.6.5 or 4.0.0. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS vector and score are not provided, limiting standard severity quantification. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker intercepts or modifies a serialized SSL session stored in a distributed cache or transmitted between application servers. When the application deserializes the modified session structure to resume the TLS connection, the malformed data triggers a buffer overflow in Mbed TLS's deserialization code, allowing the attacker to overwrite memory and execute arbitrary code with the privileges of the TLS library process. …
Remediation Upgrade Mbed TLS to a patched version released by the vendor. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
openSUSE Tumbleweed Fixed

Share

EUVD-2026-18394 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy