Description
An issue was discovered in Mbed TLS versions from 2.19.0 up to 3.6.5, Mbed TLS 4.0.0. Insufficient protection of serialized SSL context or session structures allows an attacker who can modify the serialized structures to induce memory corruption, leading to arbitrary code execution. This is caused by Incorrect Use of Privileged APIs.
Published: 2026-04-02
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability stems from insufficient protection of serialized SSL context or session structures. An attacker who can modify these serialized strings can trigger memory corruption that leads to arbitrary code execution. The weakness originates from incorrect use of privileged APIs, allowing exploitation of the encryption library’s serialization routines.

Affected Systems

Mbed TLS, versions 2.19.0 through 3.6.5 and the 4.0.0 release, are impacted. The issue appears in the core TLS library and may affect any application that uses that version of the library.

Risk and Exploitability

The CVSS score of 9.8 places this vulnerability in the critical range. While the EPSS score is unavailable and the vulnerability is not listed in the KEV catalog, the high severity indicates significant risk. Based on the description, the likely attack vector involves an attacker who can inject or alter serialized SSL context data, possibly via the network or a compromised storage medium, leading to execution of privileged code paths within the library and full compromise of the vulnerable process.

Generated by OpenCVE AI on April 2, 2026 at 22:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mbed TLS to a version that includes the CVE-2026-34877 fix.
  • If an upgrade is delayed, isolate the affected application from the network until a patch is applied.
  • Ensure the application does not serialize or persist SSL context structures externally.
  • Monitor the system for signs of memory corruption or unexpected crashes.
  • Apply any vendor-specified security hardening guidelines while waiting for a patch.

Generated by OpenCVE AI on April 2, 2026 at 22:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title Arbitrary Code Execution via Deserialization of SSL Context in Mbed TLS
First Time appeared Mbed
Mbed mbedtls
Vendors & Products Mbed
Mbed mbedtls

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Mbed TLS versions from 2.19.0 up to 3.6.5, Mbed TLS 4.0.0. Insufficient protection of serialized SSL context or session structures allows an attacker who can modify the serialized structures to induce memory corruption, leading to arbitrary code execution. This is caused by Incorrect Use of Privileged APIs.
Weaknesses CWE-250
CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Mbed Mbedtls
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-02T17:52:53.594Z

Reserved: 2026-03-31T00:00:00.000Z

Link: CVE-2026-34877

cve-icon Vulnrichment

Updated: 2026-04-02T17:50:56.222Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-02T17:16:26.927

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-34877

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:18:59Z

Weaknesses