CVE-2025-27810

Published: Mar 25, 2025Modified: Oct 30, 2025

4.8

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Exploitability: 2.2 / Impact: 2.5

Source: NVD

Description

Mbed TLS before 2.28.10 and 3.x before 3.6.3, in some cases of failed memory allocation or hardware errors, uses uninitialized stack memory to compose the TLS Finished message, potentially leading to authentication bypasses such as replays.

Affected (2)

Products: Arm: Mbed Tls

Arm

1 product

Mbed Tls

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Arm Mbed Tls	Before 2.28.10
Arm Mbed Tls	From 3.0.0 to 3.6.3

Related CWEs

CWE-908

Use of Uninitialized Resource

The product uses or accesses a resource that has not been initialized.

References (2)

https://github.com/Mbed-TLS/mbedtls/releases

Source: cve@mitre.org

Release Notes

https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-2/

Source: cve@mitre.org

Vendor Advisory

Timeline

No history available yet.