An issue was discovered in Mbed TLS 3.5.x before 3.6.0. When negotiating the TLS version on the server side, it can fall back to the TLS 1.2 implementation of the protocol if it is disabled. If the TLS 1.2 implementation was disabled at build time, a TLS 1.2 client could put a TLS 1.3-only server into an infinite loop processing a TLS 1.2 ClientHello, resulting in a denial of service. If the TLS 1.2 implementation was disabled at runtime, a TLS 1.2 client can successfully establish a TLS 1.2 connection with the server.
History

Mon, 18 Nov 2024 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-04-03T00:00:00

Updated: 2024-11-18T21:32:24.418Z

Reserved: 2024-03-11T00:00:00

Link: CVE-2024-28836

cve-icon Vulnrichment

Updated: 2024-08-02T00:56:58.415Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-04-03T03:15:10.350

Modified: 2024-11-21T09:07:02.010

Link: CVE-2024-28836

cve-icon Redhat

No data.