anonhaven
Ad

CVE-2026-34877

CRITICAL CVSS 3.1: 9.8 EPSS 0.15%
Updated Apr 06, 2026
Arm
Parameter Value
CVSS 9.8 (CRITICAL)
Affected Versions 2.19.0 — 3.6.6
Fixed In 3.6.6
Type CWE-502 (Deserialization of Untrusted Data), CWE-250
Vendor Arm
Public PoC No

An issue was discovered in Mbed TLS versions from 2.19.0 up to 3.6.5, Mbed TLS 4.0.0. Insufficient protection of serialized SSL context or session structures allows an attacker who can modify the serialized structures to induce memory corruption, leading to arbitrary code execution. This is caused by Incorrect Use of Privileged APIs.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service

CVSS Vector v3.1

Weakness Type (CWE)

CWE-502 Deserialization of Untrusted Data
CWE-250

Vulnerable Products 2

Configuration From (including) Up to (excluding)
Arm Mbed_Tls
cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:*
 2.19.0 3.6.6
Arm Mbed_Tls
cpe:2.3:a:arm:mbed_tls:4.0.0:*:*:*:*:*:*:*

References 2

https://mbed-tls.readthedocs.io/en/latest/security-advisories/
cve@mitre.org
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-…
cve@mitre.org
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-34876

Arm

7.5

CVE-2026-34873

Arm

9.1

CVE-2026-34872

Arm

9.1

CVE-2025-66442

Arm

5.1

CVE-2026-34874

Arm

7.5