CVE-2026-34876

Source
https://cve.org/CVERecord?id=CVE-2026-34876
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34876.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-34876
Downstream
Related
Published
2026-04-02T00:00:00Z
Modified
2026-07-15T01:48:51.063969949Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

An issue was discovered in Mbed TLS 3.x before 3.6.6. An out-of-bounds read vulnerability in mbedtlsccmfinish() in library/ccm.c allows attackers to obtain adjacent CCM context data via invocation of the multipart CCM API with an oversized taglen parameter. This is caused by missing validation of the taglen parameter against the size of the internal 16-byte authentication buffer. The issue affects the public multipart CCM API in Mbed TLS 3.x, where mbedtlsccmfinish() can be invoked directly by applications. In Mbed TLS 4.x versions prior to the fix, the same missing validation exists in the internal implementation; however, the function is not exposed as part of the public API. Exploitation requires application-level invocation of the multipart CCM API.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34876.json",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "3.x"
                },
                {
                    "fixed": "3.6.6"
                }
            ],
            "source": "DESCRIPTION"
        }
    ],
    "cna_assigner": "mitre"
}
References

Affected packages

Git / github.com/mbed-tls/mbedtls

Affected ranges

Type
GIT
Repo
https://github.com/mbed-tls/mbedtls
Events
Database specific
{
    "cpe": "cpe:2.3:a:trustedfirmware:mbed_tls:*:*:*:*:*:*:*:*",
    "source": "CPE_RANGE",
    "extracted_events": [
        {
            "introduced": "3.1.0"
        },
        {
            "fixed": "3.6.6"
        }
    ]
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34876.json"