Mbed TLS 3.5.x through 3.6.x before 3.6.2 has a buffer underrun in pkwrite when writing an opaque key pair
The vulnerability occurs in the pkwrite module of the Mbed TLS library when processing an opaque key pair. During the key write operation, a write occurs below the lower boundary of the allocated buffer (buffer underrun), resulting in memory corruption outside the intended area. This type of error can lead to controlled overwriting of data in the process memory, potentially allowing an attacker to gain control over code execution.
An attacker can cause memory corruption, which in the worst-case scenario enables remote code execution (RCE), disclosure of sensitive data, or application crash using the Mbed TLS library.
Mbed TLS should be updated to version 3.6.2 or later. Detailed information is available in the official security bulletin from the vendor at: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-10-1/
Arm Mbed TLS in versions 3.5.x and 3.6.x before 3.6.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HTrustedfirmware Mbed Tls
APPTrustedfirmware3.5.0 – 3.6.2 (bez)
Related vulnerabilities
RCE przez deserializację kontekstu SSL w Mbed TLS
Arm Mbed TLS: podszywanie się pod klienta przy wznawianiu sesji TLS 1.3
Buffer overflow w eksporcie klucza publicznego FFDH w Mbed TLS i TF-PSA-Crypto
Arm Mbed TLS: błąd weryfikacji certyfikatu klienta w TLS 1.3
Stack buffer overflow w Mbed TLS – funkcje konwersji ECDSA