anonhaven
Ad

CVE-2026-34876

HIGH CVSS 3.1: 7.5 EPSS 0.02%
Updated Apr 07, 2026
Arm
Parameter Value
CVSS 7.5 (HIGH)
Affected Versions 3.1.0 — 3.6.6
Fixed In 3.6.6
Type CWE-125 (Out-of-bounds Read)
Vendor Arm
Public PoC No

An issue was discovered in Mbed TLS 3.x before 3.6.6. An out-of-bounds read vulnerability in mbedtls_ccm_finish() in library/ccm.c allows attackers to obtain adjacent CCM context data via invocation of the multipart CCM API with an oversized tag_len parameter. This is caused by missing validation of the tag_len parameter against the size of the internal 16-byte authentication buffer.

The issue affects the public multipart CCM API in Mbed TLS 3.x, where mbedtls_ccm_finish() can be invoked directly by applications. In Mbed TLS 4.x versions prior to the fix, the same missing validation exists in the internal implementation; however, the function is not exposed as part of the public API. Exploitation requires application-level invocation of the multipart CCM API.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
None
No data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-125 Out-of-bounds Read

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Arm Mbed_Tls
cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:*
 3.1.0 3.6.6

References 2

https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-…
cve@mitre.org
https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories/
cve@mitre.org
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-34877

Arm

9.8

CVE-2026-34873

Arm

9.1

CVE-2026-34872

Arm

9.1

CVE-2025-66442

Arm

5.1

CVE-2026-34874

Arm

7.5