An issue was discovered in Mbed TLS versions from 2.19.0 up to 3.6.5, Mbed TLS 4.0.0. Insufficient protection of serialized SSL context or session structures allows an attacker who can modify the serialized structures to induce memory corruption, leading to arbitrary code execution. This is caused by Incorrect Use of Privileged APIs.
Mbed TLS enables serialization and deserialization of SSL context and session structures — this mechanism is used, among other things, to save and restore the state of TLS connections. Insufficient protection of these structures during deserialization means that an attacker capable of modifying serialized data can trigger memory corruption. The vulnerability is caused by improper use of privileged APIs (CWE-250), which combined with the lack of data validation during deserialization (CWE-502) opens the way to arbitrary code execution.
An attacker can lead to arbitrary code execution in the context of a process using the vulnerable library, which in practice means the possibility of complete system takeover, breach of data confidentiality and integrity, and causing denial of service.
Apply patches available from the manufacturer according to the references. Detailed information about patched versions is available in the official Mbed TLS security bulletin at: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-serialized-data/
Arm Mbed TLS versions from 2.19.0 to 3.6.5 inclusive and Mbed TLS 4.0.0.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HArm Mbed Tls
APPArm2.19.0 – 3.6.6 (bez)Trustedfirmware Mbed Tls
APPTrustedfirmware4.0.0
Related vulnerabilities
Arm Mbed TLS: podszywanie się pod klienta przy wznawianiu sesji TLS 1.3
Brak weryfikacji wkładu strony w FFDH w Mbed TLS i TF-PSA-Crypto
Buffer overflow w eksporcie klucza publicznego FFDH w Mbed TLS i TF-PSA-Crypto
Buffer underrun w Mbed TLS podczas zapisu nieprzezroczystej pary kluczy
Arm Mbed TLS: błąd weryfikacji certyfikatu klienta w TLS 1.3