Description
An issue was discovered in Mbed TLS 3.x before 3.6.6. An out-of-bounds read vulnerability in mbedtls_ccm_finish() in library/ccm.c allows attackers to obtain adjacent CCM context data via invocation of the multipart CCM API with an oversized tag_len parameter. This is caused by missing validation of the tag_len parameter against the size of the internal 16-byte authentication buffer. The issue affects the public multipart CCM API in Mbed TLS 3.x, where mbedtls_ccm_finish() can be invoked directly by applications. In Mbed TLS 4.x versions prior to the fix, the same missing validation exists in the internal implementation; however, the function is not exposed as part of the public API. Exploitation requires application-level invocation of the multipart CCM API.
Published: 2026-04-02
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: Information Disclosure via Out‑of‑Bounds Read
Action: Immediate Patch
AI Analysis

Impact

Mbed TLS 3.x before version 3.6.6 contains an out‑of‑bounds read in the function mbedtls_ccm_finish() where the tag_len parameter is not validated against the internal 16‑byte authentication buffer. An attacker who can invoke the multipart CCM API may supply an oversized tag_len and read data that lies just beyond the intended buffer. This allows the leakage of adjacent CCM context data, potentially exposing sensitive authentication material and compromising confidentiality.

Affected Systems

The vulnerability affects the open‑source Mbed TLS cryptographic library. All 3.x releases prior to 3.6.6 are exposed, as the public multipart CCM API allows direct invocation of mbedtls_ccm_finish(). Mbed TLS 4.x contains the same internal missing validation, but the function is not publicly exposed, so the risk is limited to library developers. No vendor or product name beyond Mbed TLS is listed.

Risk and Exploitability

Exploitation requires application‑level use of the multipart CCM API and the ability to supply an oversized tag_len. It does not provide remote code execution or denial of service, but it enables covert data leakage. The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, indicating no confirmed widespread exploitation yet. However, the CVSS score is high enough that any system using the affected library should apply the patch promptly.

Generated by OpenCVE AI on April 2, 2026 at 16:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mbed TLS to version 3.6.6 or later, which includes bounds checking in mbedtls_ccm_finish().
  • If using Mbed TLS 4.x, apply the internal fix that adds tag_len validation to the implementation.
  • For environments where an immediate upgrade is not possible, add application‑level validation to ensure tag_len does not exceed the 16‑byte authentication buffer or disable the multipart CCM API until a patched version is available.

Generated by OpenCVE AI on April 2, 2026 at 16:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Out‑of‑Bounds Read in Mbed TLS CCM API Enabling Information Disclosure
First Time appeared Mbed-tls
Mbed-tls mbedtls
Weaknesses CWE-119
CWE-125
CWE-200
Vendors & Products Mbed-tls
Mbed-tls mbedtls
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Mbed TLS 3.x before 3.6.6. An out-of-bounds read vulnerability in mbedtls_ccm_finish() in library/ccm.c allows attackers to obtain adjacent CCM context data via invocation of the multipart CCM API with an oversized tag_len parameter. This is caused by missing validation of the tag_len parameter against the size of the internal 16-byte authentication buffer. The issue affects the public multipart CCM API in Mbed TLS 3.x, where mbedtls_ccm_finish() can be invoked directly by applications. In Mbed TLS 4.x versions prior to the fix, the same missing validation exists in the internal implementation; however, the function is not exposed as part of the public API. Exploitation requires application-level invocation of the multipart CCM API.
References

Subscriptions

Mbed-tls Mbedtls
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-02T15:54:45.230Z

Reserved: 2026-03-31T00:00:00.000Z

Link: CVE-2026-34876

cve-icon Vulnrichment

Updated: 2026-04-02T15:54:17.890Z

cve-icon NVD

Status : Received

Published: 2026-04-02T16:16:26.180

Modified: 2026-04-02T17:16:26.753

Link: CVE-2026-34876

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:22:23Z

Weaknesses