CVE-2026-34877

Source
https://cve.org/CVERecord?id=CVE-2026-34877
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34877.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-34877
Downstream
Related
Published
2026-04-02T00:00:00Z
Modified
2026-07-08T07:32:35.406826729Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

An issue was discovered in Mbed TLS versions from 2.19.0 up to 3.6.5, Mbed TLS 4.0.0. Insufficient protection of serialized SSL context or session structures allows an attacker who can modify the serialized structures to induce memory corruption, leading to arbitrary code execution. This is caused by Incorrect Use of Privileged APIs.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34877.json",
    "cna_assigner": "mitre"
}
References

Affected packages

Git / github.com/mbed-tls/mbedtls

Affected ranges

Type
GIT
Repo
https://github.com/mbed-tls/mbedtls
Events
Database specific
{
    "cpe": "cpe:2.3:a:trustedfirmware:mbed_tls:4.0.0:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "4.0.0"
        },
        {
            "last_affected": "4.0.0"
        }
    ],
    "source": "CPE_STRING"
}

Affected versions

4.*
4.0.0
mbedtls-4.*
mbedtls-4.0.0
v4.*
v4.0.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34877.json"