CVE-2021-44732

Published: Dec 20, 2021Modified: Nov 3, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Mbed TLS before 3.0.1 has a double free in certain out-of-memory conditions, as demonstrated by an mbedtls_ssl_set_session() failure.

Affected (5)

Products: Arm: Mbed Tls · Debian: Debian Linux

1 product

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Arm Mbed Tls	Before 2.16.12
Arm Mbed Tls	From 2.17.0 to 2.28.0
Arm Mbed Tls	Version 3.0.0
Arm Mbed Tls	Version 3.0.0 preview1

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0

Related CWEs

CWE-415

Double Free

The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.

References (15)

https://bugs.gentoo.org/829660

Source: cve@mitre.org

Issue TrackingMailing ListThird Party Advisory

https://github.com/ARMmbed/mbedtls/releases

Source: cve@mitre.org

Release Notes

https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.12

Source: cve@mitre.org

Release Notes

https://github.com/ARMmbed/mbedtls/releases/tag/v2.28.0

Source: cve@mitre.org

Release Notes

https://github.com/ARMmbed/mbedtls/releases/tag/v3.1.0

Source: cve@mitre.org

Release Notes

https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-12

Source: cve@mitre.org

ExploitMitigationThird Party Advisory

https://bugs.gentoo.org/829660