Description
An issue was discovered in Mbed TLS versions from 2.19.0 up to 3.6.5, Mbed TLS 4.0.0. Insufficient protection of serialized SSL context or session structures allows an attacker who can modify the serialized structures to induce memory corruption, leading to arbitrary code execution. This is caused by Incorrect Use of Privileged APIs.
Published: 2026-04-02
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from insufficient protection of serialized SSL context or session data in Mbed TLS. An attacker who can alter these serialized structures can trigger memory corruption, enabling arbitrary code execution. This is a serious flaw mapped to CWE-250 and CWE-502, reflecting improper privilege handling and insecure deserialization.

Affected Systems

Arm’s Mbed TLS library is affected. All actively supported releases from 2.19.0 up to 3.6.5, and the 4.0.0 release, are vulnerable. Users of these versions should identify which exact build they run and plan an update.

Risk and Exploitability

The CVSS score is 9.8, indicating catastrophic impact. The EPSS score is below 1 % and the issue is not yet listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote, requiring an attacker to supply a tampered SSL context over the network; this can then be deserialized by the library, causing memory corruption and granting the attacker control of the process.

Generated by OpenCVE AI on April 7, 2026 at 01:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Mbed TLS patch or upgrade to a fixed release
  • Review Arm’s Mbed TLS security advisories for update details
  • If a patch is not immediately available, restrict or block traffic that transmits serialized SSL context data to isolate the affected systems

Generated by OpenCVE AI on April 7, 2026 at 01:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Title Arbitrary Code Execution via Deserialization of SSL Context in Mbed TLS

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Arm
Arm mbed Tls
CPEs cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:*
cpe:2.3:a:arm:mbed_tls:4.0.0:*:*:*:*:*:*:*
Vendors & Products Arm
Arm mbed Tls

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title Arbitrary Code Execution via Deserialization of SSL Context in Mbed TLS
First Time appeared Mbed
Mbed mbedtls
Vendors & Products Mbed
Mbed mbedtls

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Mbed TLS versions from 2.19.0 up to 3.6.5, Mbed TLS 4.0.0. Insufficient protection of serialized SSL context or session structures allows an attacker who can modify the serialized structures to induce memory corruption, leading to arbitrary code execution. This is caused by Incorrect Use of Privileged APIs.
Weaknesses CWE-250
CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Arm Mbed Tls
Mbed Mbedtls
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-02T17:52:53.594Z

Reserved: 2026-03-31T00:00:00.000Z

Link: CVE-2026-34877

cve-icon Vulnrichment

Updated: 2026-04-02T17:50:56.222Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T17:16:26.927

Modified: 2026-04-06T21:06:00.037

Link: CVE-2026-34877

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:56:20Z

Weaknesses