Description
An issue was discovered in Mbed TLS 3.5.x and 3.6.x through 3.6.5 and TF-PSA-Crypto 1.0. There is a lack of contributory behavior in FFDH due to improper input validation. Using finite-field Diffie-Hellman, the other party can force the shared secret into a small set of values (lack of contributory behavior). This is a problem for protocols that depend on contributory behavior (which is not the case for TLS). The attack can be carried by the peer, or depending on the protocol by an active network attacker (person in the middle).
Published: 2026-04-01
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Manipulation of Derived Keys
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from inadequate validation of finite‑field Diffie‑Hellman peer key inputs in Mbed TLS versions 3.5.x through 3.6.5 and TF‑PSA‑Crypto 1.0.0, allowing a malicious peer to force the negotiated shared secret into a limited, predictable set of values. This lack of contributory behavior permits an attacker to influence the symmetric key used for subsequent encryption, potentially compromising confidentiality of the protected communication. The issue is rooted in improper input validation (CWE-1287) and mishandling of cryptographic protocols (CWE-347).

Affected Systems

Products affected are the ARM Mbed TLS library in the 3.5.x to 3.6.5 series and the TF‑PSA‑Crypto 1.0.0 implementation. These libraries are embedded in many IoT devices, secure elements, and other systems that perform finite‑field Diffie‑Hellman key exchanges. The flaw applies wherever these libraries are used to exchange keys in protocols that rely on contributory behavior; TLS itself is not impacted because it does not depend on contribution for key establishment.

Risk and Exploitability

The CVSS score of 9.1 indicates a severe risk if exploited, while an EPSS score below 1 % suggests exploitation is unlikely but possible. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. Exploitation does not require local privileges; an attacker can act as a peer or perform a man‑in‑the‑middle attack to supply malicious parameters. Successful exploitation would alter the derived key, allowing compromised confidentiality of any data encrypted with that key.

Generated by OpenCVE AI on April 3, 2026 at 23:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ARM Mbed TLS to a patched release that includes the FFDHE input validation fix and update TF‑PSA‑Crypto to a fixed version if available.
  • If the upgrade is not feasible, verify whether the deployed system uses any cryptographic protocols that depend on contributory behavior in Diffie‑Hellman. Disable those protocols or switch to an alternative key‑exchange mechanism that does not rely on contributory behavior.
  • Monitor network traffic for abnormal Diffie‑Hellman key exchanges and apply general hardening practices, such as disabling legacy cryptographic primitives and ensuring TLS configurations avoid weak cipher suites.

Generated by OpenCVE AI on April 3, 2026 at 23:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Arm
Arm mbed Tls
Arm tf-psa-crypto
CPEs cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:*
cpe:2.3:a:arm:tf-psa-crypto:1.0.0:-:*:*:*:*:*:*
Vendors & Products Arm
Arm mbed Tls
Arm tf-psa-crypto

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Mbed-tls
Mbed-tls mbedtls
Vendors & Products Mbed-tls
Mbed-tls mbedtls

Thu, 02 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title mbedtls: Mbed TLS and TF-PSA-Crypto: Shared secret manipulation via improper FFDH input validation
Weaknesses CWE-1287
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Mbed TLS 3.5.x and 3.6.x through 3.6.5 and TF-PSA-Crypto 1.0. There is a lack of contributory behavior in FFDH due to improper input validation. Using finite-field Diffie-Hellman, the other party can force the shared secret into a small set of values (lack of contributory behavior). This is a problem for protocols that depend on contributory behavior (which is not the case for TLS). The attack can be carried by the peer, or depending on the protocol by an active network attacker (person in the middle).
Weaknesses CWE-347
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Arm Mbed Tls Tf-psa-crypto
Mbed-tls Mbedtls
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-01T19:52:25.548Z

Reserved: 2026-03-31T00:00:00.000Z

Link: CVE-2026-34872

cve-icon Vulnrichment

Updated: 2026-04-01T19:50:04.483Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T20:16:27.493

Modified: 2026-04-03T20:02:33.790

Link: CVE-2026-34872

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-01T00:00:00Z

Links: CVE-2026-34872 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:07:41Z

Weaknesses