Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:deb/debian/mbedtls@3.6.5-0.1~deb13u1

Type deb

Namespace debian

Name mbedtls

Version 3.6.5-0.1~deb13u1

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version null

Latest_non_vulnerable_version null

Affected_by_vulnerabilities

url

VCID-4sbv-dqyv-6baw

vulnerability_id

VCID-4sbv-dqyv-6baw

summary

An issue was discovered in Mbed TLS before 2.28.9 and 3.x before 3.6.1, in which the user-selected algorithm is not used. Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-45157

reference_id

reference_type

scores

value	0.00163
scoring_system	epss
scoring_elements	0.37213
published_at	2026-04-21T12:55:00Z

value	0.00163
scoring_system	epss
scoring_elements	0.37289
published_at	2026-04-09T12:55:00Z

value	0.00163
scoring_system	epss
scoring_elements	0.37299
published_at	2026-04-11T12:55:00Z

value	0.00163
scoring_system	epss
scoring_elements	0.37266
published_at	2026-04-12T12:55:00Z

value	0.00163
scoring_system	epss
scoring_elements	0.37238
published_at	2026-04-13T12:55:00Z

value	0.00163
scoring_system	epss
scoring_elements	0.37284
published_at	2026-04-16T12:55:00Z

value	0.00163
scoring_system	epss
scoring_elements	0.37267
published_at	2026-04-18T12:55:00Z

value	0.00163
scoring_system	epss
scoring_elements	0.3737
published_at	2026-04-02T12:55:00Z

value	0.00163
scoring_system	epss
scoring_elements	0.37396
published_at	2026-04-04T12:55:00Z

value	0.00163
scoring_system	epss
scoring_elements	0.37224
published_at	2026-04-07T12:55:00Z

value	0.00163
scoring_system	epss
scoring_elements	0.37275
published_at	2026-04-08T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-45157

reference_url

https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-08-1/

reference_id

mbedtls-security-advisory-2024-08-1

reference_type

scores

value	5.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-05T20:29:47Z/

url

https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-08-1/

reference_url

https://github.com/Mbed-TLS/mbedtls/releases/

reference_id

releases

reference_type

scores

value	5.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-05T20:29:47Z/

url

https://github.com/Mbed-TLS/mbedtls/releases/

reference_url

https://mbed-tls.readthedocs.io/en/latest/security-advisories/

reference_id

security-advisories

reference_type

scores

value	5.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-05T20:29:47Z/

url

https://mbed-tls.readthedocs.io/en/latest/security-advisories/

fixed_packages

aliases

CVE-2024-45157

risk_score

2.3

exploitability

0.5

weighted_severity

4.6

resource_url

http://public2.vulnerablecode.io/vulnerabilities/VCID-4sbv-dqyv-6baw

Fixing_vulnerabilities

url VCID-5bxk-rknm-zfhc

vulnerability_id VCID-5bxk-rknm-zfhc

summary Multiple vulnerabilities have been discovered in Mbed TLS, the worst of which could lead to information disclosure or denial of service.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-23775

reference_id

reference_type

scores

value	0.00394
scoring_system	epss
scoring_elements	0.6034
published_at	2026-04-21T12:55:00Z

value	0.00394
scoring_system	epss
scoring_elements	0.60316
published_at	2026-04-09T12:55:00Z

value	0.00394
scoring_system	epss
scoring_elements	0.60337
published_at	2026-04-11T12:55:00Z

value	0.00394
scoring_system	epss
scoring_elements	0.60323
published_at	2026-04-12T12:55:00Z

value	0.00394
scoring_system	epss
scoring_elements	0.60304
published_at	2026-04-13T12:55:00Z

value	0.00394
scoring_system	epss
scoring_elements	0.60344
published_at	2026-04-16T12:55:00Z

value	0.00394
scoring_system	epss
scoring_elements	0.60352
published_at	2026-04-18T12:55:00Z

value	0.00394
scoring_system	epss
scoring_elements	0.60256
published_at	2026-04-02T12:55:00Z

value	0.00394
scoring_system	epss
scoring_elements	0.60283
published_at	2026-04-04T12:55:00Z

value	0.00394
scoring_system	epss
scoring_elements	0.60252
published_at	2026-04-07T12:55:00Z

value	0.00394
scoring_system	epss
scoring_elements	0.60302
published_at	2026-04-08T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-23775

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23775
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23775

reference_url	https://security.gentoo.org/glsa/202409-14
reference_id	GLSA-202409-14
reference_type
scores
url	https://security.gentoo.org/glsa/202409-14

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GP5UU7Z6LJNBLBT4SC5WWS2HDNMTFZH5/

reference_id

GP5UU7Z6LJNBLBT4SC5WWS2HDNMTFZH5

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T17:27:39Z/

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GP5UU7Z6LJNBLBT4SC5WWS2HDNMTFZH5/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IIBPEYSVRK4IFLBSYJAWKH33YBNH5HR2/

reference_id

IIBPEYSVRK4IFLBSYJAWKH33YBNH5HR2

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T17:27:39Z/

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IIBPEYSVRK4IFLBSYJAWKH33YBNH5HR2/

reference_url

https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-2/

reference_id

mbedtls-security-advisory-2024-01-2

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T17:27:39Z/

url

https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-2/

reference_url	https://usn.ubuntu.com/8123-1/
reference_id	USN-8123-1
reference_type
scores
url	https://usn.ubuntu.com/8123-1/

fixed_packages

url pkg:deb/debian/mbedtls@3.6.5-0.1~deb13u1

purl pkg:deb/debian/mbedtls@3.6.5-0.1~deb13u1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4sbv-dqyv-6baw

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/mbedtls@3.6.5-0.1~deb13u1

aliases CVE-2024-23775

risk_score 3.4

exploitability 0.5

weighted_severity 6.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5bxk-rknm-zfhc

url VCID-7ppw-f9jy-k7ae

vulnerability_id VCID-7ppw-f9jy-k7ae

summary Mbed TLS before 3.6.4 has a PEM parsing one-byte heap-based buffer underflow, in mbedtls_pem_read_buffer and two mbedtls_pk_parse functions, via untrusted PEM input.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-52497

reference_id

reference_type

scores

value	0.00092
scoring_system	epss
scoring_elements	0.26081
published_at	2026-04-02T12:55:00Z

value	0.00092
scoring_system	epss
scoring_elements	0.25957
published_at	2026-04-08T12:55:00Z

value	0.00092
scoring_system	epss
scoring_elements	0.26008
published_at	2026-04-09T12:55:00Z

value	0.00092
scoring_system	epss
scoring_elements	0.26018
published_at	2026-04-11T12:55:00Z

value	0.00092
scoring_system	epss
scoring_elements	0.25918
published_at	2026-04-16T12:55:00Z

value	0.00092
scoring_system	epss
scoring_elements	0.25899
published_at	2026-04-18T12:55:00Z

value	0.00092
scoring_system	epss
scoring_elements	0.26121
published_at	2026-04-04T12:55:00Z

value	0.00092
scoring_system	epss
scoring_elements	0.25887
published_at	2026-04-07T12:55:00Z

value	0.00094
scoring_system	epss
scoring_elements	0.26249
published_at	2026-04-13T12:55:00Z

value	0.00094
scoring_system	epss
scoring_elements	0.26308
published_at	2026-04-12T12:55:00Z

value	0.001
scoring_system	epss
scoring_elements	0.27642
published_at	2026-04-21T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-52497

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-52497
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-52497

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108786
reference_id	1108786
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108786

reference_url

https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2025-06-2.md

reference_id

mbedtls-security-advisory-2025-06-2.md

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-08T13:18:40Z/

url

https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2025-06-2.md

reference_url	https://usn.ubuntu.com/8123-1/
reference_id	USN-8123-1
reference_type
scores
url	https://usn.ubuntu.com/8123-1/

fixed_packages

url pkg:deb/debian/mbedtls@2.28.3-1

purl pkg:deb/debian/mbedtls@2.28.3-1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4sbv-dqyv-6baw

vulnerability	VCID-5bxk-rknm-zfhc

vulnerability	VCID-7ppw-f9jy-k7ae

vulnerability	VCID-7v3a-5q44-cucz

vulnerability	VCID-98cg-wuhp-qudq

vulnerability	VCID-f1fz-b8b6-dfb8

vulnerability	VCID-gvkn-6e2m-dyez

vulnerability	VCID-kchn-2wez-bbb2

vulnerability	VCID-pj6w-rufw-nqgd

vulnerability	VCID-vp4q-81cq-33cw

vulnerability	VCID-vs6q-c4ug-xfer

vulnerability	VCID-wsvw-6tmk-3kdj

vulnerability	VCID-zpq1-dwvf-8ka2

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/mbedtls@2.28.3-1

url pkg:deb/debian/mbedtls@3.6.5-0.1~deb13u1

purl pkg:deb/debian/mbedtls@3.6.5-0.1~deb13u1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4sbv-dqyv-6baw

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/mbedtls@3.6.5-0.1~deb13u1

aliases CVE-2025-52497

risk_score 2.1

exploitability 0.5

weighted_severity 4.3

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7ppw-f9jy-k7ae

url VCID-7v3a-5q44-cucz

vulnerability_id VCID-7v3a-5q44-cucz

summary Mbed TLS before 3.6.4 has a NULL pointer dereference because mbedtls_asn1_store_named_data can trigger conflicting data with val.p of NULL but val.len greater than zero.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-48965

reference_id

reference_type

scores

value	0.00033
scoring_system	epss
scoring_elements	0.09613
published_at	2026-04-04T12:55:00Z

value	0.00033
scoring_system	epss
scoring_elements	0.09562
published_at	2026-04-02T12:55:00Z

value	0.00045
scoring_system	epss
scoring_elements	0.13755
published_at	2026-04-08T12:55:00Z

value	0.00045
scoring_system	epss
scoring_elements	0.13673
published_at	2026-04-07T12:55:00Z

value	0.00045
scoring_system	epss
scoring_elements	0.13806
published_at	2026-04-09T12:55:00Z

value	0.00045
scoring_system	epss
scoring_elements	0.13774
published_at	2026-04-11T12:55:00Z

value	0.00045
scoring_system	epss
scoring_elements	0.13737
published_at	2026-04-12T12:55:00Z

value	0.00045
scoring_system	epss
scoring_elements	0.13688
published_at	2026-04-13T12:55:00Z

value	0.0006
scoring_system	epss
scoring_elements	0.18655
published_at	2026-04-18T12:55:00Z

value	0.0006
scoring_system	epss
scoring_elements	0.18643
published_at	2026-04-16T12:55:00Z

value	0.0006
scoring_system	epss
scoring_elements	0.18673
published_at	2026-04-21T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-48965

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48965
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48965

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108790
reference_id	1108790
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108790

reference_url

https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2025-06-6.md

reference_id

mbedtls-security-advisory-2025-06-6.md

reference_type

scores

value	4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-23T14:32:31Z/

url

https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2025-06-6.md

reference_url

https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories/

reference_id

security-advisories

reference_type

scores

value	4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-23T14:32:31Z/

url

https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories/

reference_url	https://usn.ubuntu.com/8123-1/
reference_id	USN-8123-1
reference_type
scores
url	https://usn.ubuntu.com/8123-1/

fixed_packages

url pkg:deb/debian/mbedtls@2.28.3-1

purl pkg:deb/debian/mbedtls@2.28.3-1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4sbv-dqyv-6baw

vulnerability	VCID-5bxk-rknm-zfhc

vulnerability	VCID-7ppw-f9jy-k7ae

vulnerability	VCID-7v3a-5q44-cucz

vulnerability	VCID-98cg-wuhp-qudq

vulnerability	VCID-f1fz-b8b6-dfb8

vulnerability	VCID-gvkn-6e2m-dyez

vulnerability	VCID-kchn-2wez-bbb2

vulnerability	VCID-pj6w-rufw-nqgd

vulnerability	VCID-vp4q-81cq-33cw

vulnerability	VCID-vs6q-c4ug-xfer

vulnerability	VCID-wsvw-6tmk-3kdj

vulnerability	VCID-zpq1-dwvf-8ka2

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/mbedtls@2.28.3-1

url pkg:deb/debian/mbedtls@3.6.5-0.1~deb13u1

purl pkg:deb/debian/mbedtls@3.6.5-0.1~deb13u1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4sbv-dqyv-6baw

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/mbedtls@3.6.5-0.1~deb13u1

aliases CVE-2025-48965

risk_score 1.8

exploitability 0.5

weighted_severity 3.6

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7v3a-5q44-cucz

url VCID-98cg-wuhp-qudq

vulnerability_id VCID-98cg-wuhp-qudq

summary Mbed TLS before 3.6.4 allows a use-after-free in certain situations of applications that are developed in accordance with the documentation. The function mbedtls_x509_string_to_names() takes a head argument that is documented as an output argument. The documentation does not suggest that the function will free that pointer; however, the function does call mbedtls_asn1_free_named_data_list() on that argument, which performs a deep free(). As a result, application code that uses this function (relying only on documented behavior) is likely to still hold pointers to the memory blocks that were freed, resulting in a high risk of use-after-free or double-free. In particular, the two sample programs x509/cert_write and x509/cert_req are affected (use-after-free if the san string contains more than one DN).

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-47917

reference_id

reference_type

scores

value	0.0361
scoring_system	epss
scoring_elements	0.87753
published_at	2026-04-04T12:55:00Z

value	0.0361
scoring_system	epss
scoring_elements	0.87739
published_at	2026-04-02T12:55:00Z

value	0.04351
scoring_system	epss
scoring_elements	0.88959
published_at	2026-04-18T12:55:00Z

value	0.04351
scoring_system	epss
scoring_elements	0.88955
published_at	2026-04-21T12:55:00Z

value	0.04351
scoring_system	epss
scoring_elements	0.88949
published_at	2026-04-12T12:55:00Z

value	0.04351
scoring_system	epss
scoring_elements	0.88948
published_at	2026-04-13T12:55:00Z

value	0.04351
scoring_system	epss
scoring_elements	0.88961
published_at	2026-04-16T12:55:00Z

value	0.04351
scoring_system	epss
scoring_elements	0.8892
published_at	2026-04-07T12:55:00Z

value	0.04351
scoring_system	epss
scoring_elements	0.88938
published_at	2026-04-08T12:55:00Z

value	0.04351
scoring_system	epss
scoring_elements	0.88943
published_at	2026-04-09T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-47917

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47917
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47917

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108791
reference_id	1108791
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108791

reference_url	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/local/52427.c
reference_id	CVE-2025-47917
reference_type	exploit
scores
url	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/local/52427.c

reference_url

https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2025-06-7.md

reference_id

mbedtls-security-advisory-2025-06-7.md

reference_type

scores

value	8.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-07-22T14:22:32Z/

url

https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2025-06-7.md

reference_url

https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories/

reference_id

security-advisories

reference_type

scores

value	8.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-07-22T14:22:32Z/

url

https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories/

reference_url	https://usn.ubuntu.com/8123-1/
reference_id	USN-8123-1
reference_type
scores
url	https://usn.ubuntu.com/8123-1/

fixed_packages

url pkg:deb/debian/mbedtls@2.28.3-1

purl pkg:deb/debian/mbedtls@2.28.3-1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4sbv-dqyv-6baw

vulnerability	VCID-5bxk-rknm-zfhc

vulnerability	VCID-7ppw-f9jy-k7ae

vulnerability	VCID-7v3a-5q44-cucz

vulnerability	VCID-98cg-wuhp-qudq

vulnerability	VCID-f1fz-b8b6-dfb8

vulnerability	VCID-gvkn-6e2m-dyez

vulnerability	VCID-kchn-2wez-bbb2

vulnerability	VCID-pj6w-rufw-nqgd

vulnerability	VCID-vp4q-81cq-33cw

vulnerability	VCID-vs6q-c4ug-xfer

vulnerability	VCID-wsvw-6tmk-3kdj

vulnerability	VCID-zpq1-dwvf-8ka2

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/mbedtls@2.28.3-1

url pkg:deb/debian/mbedtls@3.6.5-0.1~deb13u1

purl pkg:deb/debian/mbedtls@3.6.5-0.1~deb13u1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4sbv-dqyv-6baw

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/mbedtls@3.6.5-0.1~deb13u1

aliases CVE-2025-47917

risk_score 10.0

exploitability 2.0

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-98cg-wuhp-qudq

url VCID-f1fz-b8b6-dfb8

vulnerability_id VCID-f1fz-b8b6-dfb8

summary Multiple vulnerabilities have been discovered in Mbed TLS, the worst of which could lead to information disclosure or denial of service.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-23170

reference_id

reference_type

scores

value	0.00208
scoring_system	epss
scoring_elements	0.43173
published_at	2026-04-21T12:55:00Z

value	0.00208
scoring_system	epss
scoring_elements	0.43202
published_at	2026-04-08T12:55:00Z

value	0.00208
scoring_system	epss
scoring_elements	0.43215
published_at	2026-04-09T12:55:00Z

value	0.00208
scoring_system	epss
scoring_elements	0.43237
published_at	2026-04-18T12:55:00Z

value	0.00208
scoring_system	epss
scoring_elements	0.43203
published_at	2026-04-12T12:55:00Z

value	0.00208
scoring_system	epss
scoring_elements	0.43188
published_at	2026-04-13T12:55:00Z

value	0.00208
scoring_system	epss
scoring_elements	0.43248
published_at	2026-04-16T12:55:00Z

value	0.00208
scoring_system	epss
scoring_elements	0.43184
published_at	2026-04-02T12:55:00Z

value	0.00208
scoring_system	epss
scoring_elements	0.43213
published_at	2026-04-04T12:55:00Z

value	0.00208
scoring_system	epss
scoring_elements	0.4315
published_at	2026-04-07T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-23170

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23170
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23170

reference_url	https://security.gentoo.org/glsa/202409-14
reference_id	GLSA-202409-14
reference_type
scores
url	https://security.gentoo.org/glsa/202409-14

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GP5UU7Z6LJNBLBT4SC5WWS2HDNMTFZH5/

reference_id

GP5UU7Z6LJNBLBT4SC5WWS2HDNMTFZH5

reference_type

scores

value	5.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-31T15:14:22Z/

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GP5UU7Z6LJNBLBT4SC5WWS2HDNMTFZH5/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IIBPEYSVRK4IFLBSYJAWKH33YBNH5HR2/

reference_id

IIBPEYSVRK4IFLBSYJAWKH33YBNH5HR2

reference_type

scores

value	5.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-31T15:14:22Z/

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IIBPEYSVRK4IFLBSYJAWKH33YBNH5HR2/

reference_url

https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-1/

reference_id

mbedtls-security-advisory-2024-01-1

reference_type

scores

value	5.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-31T15:14:22Z/

url

https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-1/

fixed_packages

url pkg:deb/debian/mbedtls@3.6.5-0.1~deb13u1

purl pkg:deb/debian/mbedtls@3.6.5-0.1~deb13u1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4sbv-dqyv-6baw

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/mbedtls@3.6.5-0.1~deb13u1

aliases CVE-2024-23170

risk_score 2.5

exploitability 0.5

weighted_severity 5.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-f1fz-b8b6-dfb8

url VCID-gvkn-6e2m-dyez

vulnerability_id VCID-gvkn-6e2m-dyez

summary Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted certificates for arbitrary hostnames unless the TLS client application calls mbedtls_ssl_set_hostname.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-27809

reference_id

reference_type

scores

value	0.00081
scoring_system	epss
scoring_elements	0.23706
published_at	2026-04-21T12:55:00Z

value	0.00081
scoring_system	epss
scoring_elements	0.23731
published_at	2026-04-13T12:55:00Z

value	0.00081
scoring_system	epss
scoring_elements	0.23741
published_at	2026-04-16T12:55:00Z

value	0.00081
scoring_system	epss
scoring_elements	0.23729
published_at	2026-04-18T12:55:00Z

value	0.00081
scoring_system	epss
scoring_elements	0.23872
published_at	2026-04-02T12:55:00Z

value	0.00081
scoring_system	epss
scoring_elements	0.23912
published_at	2026-04-04T12:55:00Z

value	0.00081
scoring_system	epss
scoring_elements	0.23701
published_at	2026-04-07T12:55:00Z

value	0.00081
scoring_system	epss
scoring_elements	0.23771
published_at	2026-04-08T12:55:00Z

value	0.00081
scoring_system	epss
scoring_elements	0.23818
published_at	2026-04-09T12:55:00Z

value	0.00081
scoring_system	epss
scoring_elements	0.23832
published_at	2026-04-11T12:55:00Z

value	0.00081
scoring_system	epss
scoring_elements	0.23788
published_at	2026-04-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-27809

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27809
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27809

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1101499
reference_id	1101499
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1101499

reference_url

https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-1/

reference_id

mbedtls-security-advisory-2025-03-1

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-25T14:41:49Z/

url

https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-1/

reference_url

https://github.com/Mbed-TLS/mbedtls/releases

reference_id

releases

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-25T14:41:49Z/

url

https://github.com/Mbed-TLS/mbedtls/releases

fixed_packages

url pkg:deb/debian/mbedtls@3.6.5-0.1~deb13u1

purl pkg:deb/debian/mbedtls@3.6.5-0.1~deb13u1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4sbv-dqyv-6baw

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/mbedtls@3.6.5-0.1~deb13u1

aliases CVE-2025-27809

risk_score 2.5

exploitability 0.5

weighted_severity 4.9

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gvkn-6e2m-dyez

url VCID-kchn-2wez-bbb2

vulnerability_id VCID-kchn-2wez-bbb2

summary Mbed TLS before 2.28.10 and 3.x before 3.6.3, in some cases of failed memory allocation or hardware errors, uses uninitialized stack memory to compose the TLS Finished message, potentially leading to authentication bypasses such as replays.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-27810

reference_id

reference_type

scores

value	0.00099
scoring_system	epss
scoring_elements	0.26997
published_at	2026-04-21T12:55:00Z

value	0.00099
scoring_system	epss
scoring_elements	0.27051
published_at	2026-04-13T12:55:00Z

value	0.00099
scoring_system	epss
scoring_elements	0.2706
published_at	2026-04-16T12:55:00Z

value	0.00099
scoring_system	epss
scoring_elements	0.27035
published_at	2026-04-18T12:55:00Z

value	0.00099
scoring_system	epss
scoring_elements	0.27203
published_at	2026-04-02T12:55:00Z

value	0.00099
scoring_system	epss
scoring_elements	0.27239
published_at	2026-04-04T12:55:00Z

value	0.00099
scoring_system	epss
scoring_elements	0.27032
published_at	2026-04-07T12:55:00Z

value	0.00099
scoring_system	epss
scoring_elements	0.27101
published_at	2026-04-08T12:55:00Z

value	0.00099
scoring_system	epss
scoring_elements	0.27147
published_at	2026-04-09T12:55:00Z

value	0.00099
scoring_system	epss
scoring_elements	0.27153
published_at	2026-04-11T12:55:00Z

value	0.00099
scoring_system	epss
scoring_elements	0.27109
published_at	2026-04-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-27810

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27810
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27810

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1101499
reference_id	1101499
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1101499

reference_url

https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-2/

reference_id

mbedtls-security-advisory-2025-03-2

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-25T14:36:57Z/

url

https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-2/

reference_url

https://github.com/Mbed-TLS/mbedtls/releases

reference_id

releases

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-25T14:36:57Z/

url

https://github.com/Mbed-TLS/mbedtls/releases

reference_url	https://usn.ubuntu.com/8123-1/
reference_id	USN-8123-1
reference_type
scores
url	https://usn.ubuntu.com/8123-1/

fixed_packages

url pkg:deb/debian/mbedtls@3.6.5-0.1~deb13u1

purl pkg:deb/debian/mbedtls@3.6.5-0.1~deb13u1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4sbv-dqyv-6baw

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/mbedtls@3.6.5-0.1~deb13u1

aliases CVE-2025-27810

risk_score 2.5

exploitability 0.5

weighted_severity 4.9

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kchn-2wez-bbb2

url VCID-pj6w-rufw-nqgd

vulnerability_id VCID-pj6w-rufw-nqgd

summary Mbed TLS before 3.6.5 allows a local timing attack against certain RSA operations, and direct calls to mbedtls_mpi_mod_inv or mbedtls_mpi_gcd.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-54764

reference_id

reference_type

scores

value	0.00015
scoring_system	epss
scoring_elements	0.03308
published_at	2026-04-12T12:55:00Z

value	0.00015
scoring_system	epss
scoring_elements	0.03287
published_at	2026-04-13T12:55:00Z

value	0.0002
scoring_system	epss
scoring_elements	0.05464
published_at	2026-04-21T12:55:00Z

value	0.0002
scoring_system	epss
scoring_elements	0.05381
published_at	2026-04-11T12:55:00Z

value	0.0002
scoring_system	epss
scoring_elements	0.05307
published_at	2026-04-16T12:55:00Z

value	0.0002
scoring_system	epss
scoring_elements	0.05308
published_at	2026-04-18T12:55:00Z

value	0.0002
scoring_system	epss
scoring_elements	0.05303
published_at	2026-04-02T12:55:00Z

value	0.0002
scoring_system	epss
scoring_elements	0.05334
published_at	2026-04-04T12:55:00Z

value	0.0002
scoring_system	epss
scoring_elements	0.05356
published_at	2026-04-07T12:55:00Z

value	0.0002
scoring_system	epss
scoring_elements	0.0539
published_at	2026-04-08T12:55:00Z

value	0.0002
scoring_system	epss
scoring_elements	0.05412
published_at	2026-04-09T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-54764

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54764
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54764

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118750
reference_id	1118750
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118750

reference_url

https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-10-ssbleed-mstep/

reference_id

mbedtls-security-advisory-2025-10-ssbleed-mstep

reference_type

scores

value	6.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-21T13:52:18Z/

url

https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-10-ssbleed-mstep/

reference_url

https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories/

reference_id

security-advisories

reference_type

scores

value	6.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-21T13:52:18Z/

url

https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories/

fixed_packages

url pkg:deb/debian/mbedtls@3.6.5-0.1~deb13u1

purl pkg:deb/debian/mbedtls@3.6.5-0.1~deb13u1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4sbv-dqyv-6baw

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/mbedtls@3.6.5-0.1~deb13u1

aliases CVE-2025-54764

risk_score 1.6

exploitability 0.5

weighted_severity 3.1

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pj6w-rufw-nqgd

url VCID-vp4q-81cq-33cw

vulnerability_id VCID-vp4q-81cq-33cw

summary Mbed TLS through 3.6.4 has an Observable Timing Discrepancy.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-59438

reference_id

reference_type

scores

value	0.00033
scoring_system	epss
scoring_elements	0.0944
published_at	2026-04-13T12:55:00Z

value	0.00033
scoring_system	epss
scoring_elements	0.09457
published_at	2026-04-12T12:55:00Z

value	0.00042
scoring_system	epss
scoring_elements	0.12913
published_at	2026-04-21T12:55:00Z

value	0.00042
scoring_system	epss
scoring_elements	0.13047
published_at	2026-04-02T12:55:00Z

value	0.00042
scoring_system	epss
scoring_elements	0.12981
published_at	2026-04-08T12:55:00Z

value	0.00042
scoring_system	epss
scoring_elements	0.13032
published_at	2026-04-09T12:55:00Z

value	0.00042
scoring_system	epss
scoring_elements	0.12994
published_at	2026-04-11T12:55:00Z

value	0.00042
scoring_system	epss
scoring_elements	0.12812
published_at	2026-04-16T12:55:00Z

value	0.00042
scoring_system	epss
scoring_elements	0.12815
published_at	2026-04-18T12:55:00Z

value	0.00042
scoring_system	epss
scoring_elements	0.13099
published_at	2026-04-04T12:55:00Z

value	0.00042
scoring_system	epss
scoring_elements	0.12902
published_at	2026-04-07T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-59438

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59438
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59438

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118752
reference_id	1118752
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118752

reference_url

https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-10-invalid-padding-error/

reference_id

mbedtls-security-advisory-2025-10-invalid-padding-error

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-21T16:06:28Z/

url

https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-10-invalid-padding-error/

reference_url

https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories/

reference_id

security-advisories

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-21T16:06:28Z/

url

https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories/

fixed_packages

url pkg:deb/debian/mbedtls@3.6.5-0.1~deb13u1

purl pkg:deb/debian/mbedtls@3.6.5-0.1~deb13u1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4sbv-dqyv-6baw

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/mbedtls@3.6.5-0.1~deb13u1

aliases CVE-2025-59438

risk_score 1.4

exploitability 0.5

weighted_severity 2.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vp4q-81cq-33cw

url VCID-vs6q-c4ug-xfer

vulnerability_id VCID-vs6q-c4ug-xfer

summary An issue was discovered in Mbed TLS 3.5.x before 3.6.0. When an SSL context was reset with the mbedtls_ssl_session_reset() API, the maximum TLS version to be negotiated was not restored to the configured one. An attacker was able to prevent an Mbed TLS server from establishing any TLS 1.3 connection, potentially resulting in a Denial of Service or forced version downgrade from TLS 1.3 to TLS 1.2.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-28755

reference_id

reference_type

scores

value	0.00127
scoring_system	epss
scoring_elements	0.32036
published_at	2026-04-21T12:55:00Z

value	0.00127
scoring_system	epss
scoring_elements	0.32037
published_at	2026-04-07T12:55:00Z

value	0.00127
scoring_system	epss
scoring_elements	0.32088
published_at	2026-04-08T12:55:00Z

value	0.00127
scoring_system	epss
scoring_elements	0.32117
published_at	2026-04-09T12:55:00Z

value	0.00127
scoring_system	epss
scoring_elements	0.32121
published_at	2026-04-11T12:55:00Z

value	0.00127
scoring_system	epss
scoring_elements	0.32083
published_at	2026-04-12T12:55:00Z

value	0.00127
scoring_system	epss
scoring_elements	0.32052
published_at	2026-04-13T12:55:00Z

value	0.00127
scoring_system	epss
scoring_elements	0.32086
published_at	2026-04-16T12:55:00Z

value	0.00127
scoring_system	epss
scoring_elements	0.32064
published_at	2026-04-18T12:55:00Z

value	0.00127
scoring_system	epss
scoring_elements	0.32176
published_at	2026-04-02T12:55:00Z

value	0.00127
scoring_system	epss
scoring_elements	0.32214
published_at	2026-04-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-28755

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28755
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28755

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1077686
reference_id	1077686
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1077686

reference_url

https://github.com/hey3e

reference_id

hey3e

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-29T15:04:39Z/

url

https://github.com/hey3e

reference_url

https://hey3e.github.io

reference_id

hey3e.github.io

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-29T15:04:39Z/

url

https://hey3e.github.io

reference_url

https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories/

reference_id

security-advisories

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-29T15:04:39Z/

url

https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories/

reference_url

https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.6.0

reference_id

v3.6.0

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-29T15:04:39Z/

url

https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.6.0

fixed_packages

url pkg:deb/debian/mbedtls@3.6.5-0.1~deb13u1

purl pkg:deb/debian/mbedtls@3.6.5-0.1~deb13u1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4sbv-dqyv-6baw

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/mbedtls@3.6.5-0.1~deb13u1

aliases CVE-2024-28755

risk_score 3.0

exploitability 0.5

weighted_severity 5.9

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vs6q-c4ug-xfer

url VCID-wsvw-6tmk-3kdj

vulnerability_id VCID-wsvw-6tmk-3kdj

summary mbedtls: Insecure handling of shared memory in PSA Crypto APIs

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-28960.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-28960.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-28960

reference_id

reference_type

scores

value	0.0015
scoring_system	epss
scoring_elements	0.35561
published_at	2026-04-21T12:55:00Z

value	0.0015
scoring_system	epss
scoring_elements	0.35665
published_at	2026-04-02T12:55:00Z

value	0.0015
scoring_system	epss
scoring_elements	0.3569
published_at	2026-04-04T12:55:00Z

value	0.0015
scoring_system	epss
scoring_elements	0.3557
published_at	2026-04-07T12:55:00Z

value	0.0015
scoring_system	epss
scoring_elements	0.35616
published_at	2026-04-08T12:55:00Z

value	0.0015
scoring_system	epss
scoring_elements	0.3564
published_at	2026-04-09T12:55:00Z

value	0.0015
scoring_system	epss
scoring_elements	0.35649
published_at	2026-04-11T12:55:00Z

value	0.0015
scoring_system	epss
scoring_elements	0.35605
published_at	2026-04-12T12:55:00Z

value	0.0015
scoring_system	epss
scoring_elements	0.35582
published_at	2026-04-13T12:55:00Z

value	0.0015
scoring_system	epss
scoring_elements	0.35621
published_at	2026-04-16T12:55:00Z

value	0.0015
scoring_system	epss
scoring_elements	0.35611
published_at	2026-04-18T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-28960

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28960
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28960

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2272172
reference_id	2272172
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2272172

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5YE3QRREGJC6K34JD4LZ5P3IALNX4QYY/

reference_id

5YE3QRREGJC6K34JD4LZ5P3IALNX4QYY

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-02T17:49:02Z/

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5YE3QRREGJC6K34JD4LZ5P3IALNX4QYY/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6UZNBMKYEV2J5DI7R4BQGL472V7X3WJY/

reference_id

6UZNBMKYEV2J5DI7R4BQGL472V7X3WJY

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-02T17:49:02Z/

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6UZNBMKYEV2J5DI7R4BQGL472V7X3WJY/

reference_url

https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2024-03.md

reference_id

mbedtls-security-advisory-2024-03.md

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-02T17:49:02Z/

url

https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2024-03.md

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NCDU52ZDA7TX3HC5JCU6ZZIJQOPTNBK6/

reference_id

NCDU52ZDA7TX3HC5JCU6ZZIJQOPTNBK6

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-02T17:49:02Z/

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NCDU52ZDA7TX3HC5JCU6ZZIJQOPTNBK6/

reference_url

https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories/

reference_id

security-advisories

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-02T17:49:02Z/

url

https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories/

fixed_packages

url pkg:deb/debian/mbedtls@3.6.5-0.1~deb13u1

purl pkg:deb/debian/mbedtls@3.6.5-0.1~deb13u1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4sbv-dqyv-6baw

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/mbedtls@3.6.5-0.1~deb13u1

aliases CVE-2024-28960

risk_score 3.7

exploitability 0.5

weighted_severity 7.4

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wsvw-6tmk-3kdj

url VCID-zpq1-dwvf-8ka2

vulnerability_id VCID-zpq1-dwvf-8ka2

summary Mbed TLS before 3.6.4 has a race condition in AESNI detection if certain compiler optimizations occur. An attacker may be able to extract an AES key from a multithreaded program, or perform a GCM forgery.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-52496

reference_id

reference_type

scores

value	0.00032
scoring_system	epss
scoring_elements	0.09086
published_at	2026-04-02T12:55:00Z

value	0.00032
scoring_system	epss
scoring_elements	0.09059
published_at	2026-04-07T12:55:00Z

value	0.00032
scoring_system	epss
scoring_elements	0.0917
published_at	2026-04-11T12:55:00Z

value	0.00032
scoring_system	epss
scoring_elements	0.09375
published_at	2026-04-12T12:55:00Z

value	0.00032
scoring_system	epss
scoring_elements	0.0936
published_at	2026-04-13T12:55:00Z

value	0.00032
scoring_system	epss
scoring_elements	0.09139
published_at	2026-04-08T12:55:00Z

value	0.00038
scoring_system	epss
scoring_elements	0.11445
published_at	2026-04-21T12:55:00Z

value	0.00038
scoring_system	epss
scoring_elements	0.11293
published_at	2026-04-18T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-52496

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-52496
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-52496

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108785
reference_id	1108785
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108785

reference_url

https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2025-06-1.md

reference_id

mbedtls-security-advisory-2025-06-1.md

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-07-08T14:07:04Z/

url

https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2025-06-1.md

reference_url	https://usn.ubuntu.com/8123-1/
reference_id	USN-8123-1
reference_type
scores
url	https://usn.ubuntu.com/8123-1/

fixed_packages

url pkg:deb/debian/mbedtls@2.28.3-1

purl pkg:deb/debian/mbedtls@2.28.3-1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4sbv-dqyv-6baw

vulnerability	VCID-5bxk-rknm-zfhc

vulnerability	VCID-7ppw-f9jy-k7ae

vulnerability	VCID-7v3a-5q44-cucz

vulnerability	VCID-98cg-wuhp-qudq

vulnerability	VCID-f1fz-b8b6-dfb8

vulnerability	VCID-gvkn-6e2m-dyez

vulnerability	VCID-kchn-2wez-bbb2

vulnerability	VCID-pj6w-rufw-nqgd

vulnerability	VCID-vp4q-81cq-33cw

vulnerability	VCID-vs6q-c4ug-xfer

vulnerability	VCID-wsvw-6tmk-3kdj

vulnerability	VCID-zpq1-dwvf-8ka2

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/mbedtls@2.28.3-1

url pkg:deb/debian/mbedtls@3.6.5-0.1~deb13u1

purl pkg:deb/debian/mbedtls@3.6.5-0.1~deb13u1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4sbv-dqyv-6baw

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/mbedtls@3.6.5-0.1~deb13u1

aliases CVE-2025-52496

risk_score 3.5

exploitability 0.5

weighted_severity 7.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zpq1-dwvf-8ka2

Risk_score 2.3

Resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/mbedtls@3.6.5-0.1~deb13u1

Package Instance