VulnerableCode Package Details - pkg:deb/debian/mbedtls@3.6.3-1

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-4tgq-m1es-aaar	An issue was discovered in Mbed TLS 2.18.0 through 2.28.x before 2.28.8 and 3.x before 3.6.0, and Mbed Crypto. The PSA Crypto API mishandles shared memory.	CVE-2024-28960
VCID-e6dh-2rzv-aaaf	An issue was discovered in Mbed TLS 3.5.x before 3.6.0. When an SSL context was reset with the mbedtls_ssl_session_reset() API, the maximum TLS version to be negotiated was not restored to the configured one. An attacker was able to prevent an Mbed TLS server from establishing any TLS 1.3 connection, potentially resulting in a Denial of Service or forced version downgrade from TLS 1.3 to TLS 1.2.	CVE-2024-28755
VCID-evq7-upd8-aaag	An issue was discovered in Mbed TLS 2.x before 2.28.7 and 3.x before 3.5.2. There was a timing side channel in RSA private operations. This side channel could be sufficient for a local attacker to recover the plaintext. It requires the attacker to send a large number of messages for decryption, as described in "Everlasting ROBOT: the Marvin Attack" by Hubert Kario.	CVE-2024-23170
VCID-fhf5-dwz2-97g3	An issue was discovered in Mbed TLS before 2.28.9 and 3.x before 3.6.1, in which the user-selected algorithm is not used. Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled.	CVE-2024-45157
VCID-mrrz-dcph-pkh5	Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted certificates for arbitrary hostnames unless the TLS client application calls mbedtls_ssl_set_hostname.	CVE-2025-27809
VCID-nhkf-eraa-aaaa	Integer Overflow vulnerability in Mbed TLS 2.x before 2.28.7 and 3.x before 3.5.2, allows attackers to cause a denial of service (DoS) via mbedtls_x509_set_extension().	CVE-2024-23775
VCID-zrja-a9ut-c3dr	Mbed TLS before 2.28.10 and 3.x before 3.6.3, in some cases of failed memory allocation or hardware errors, uses uninitialized stack memory to compose the TLS Finished message, potentially leading to authentication bypasses such as replays.	CVE-2025-27810

Vulnerability

Summary

Aliases

VCID-4tgq-m1es-aaar

An issue was discovered in Mbed TLS 2.18.0 through 2.28.x before 2.28.8 and 3.x before 3.6.0, and Mbed Crypto. The PSA Crypto API mishandles shared memory.

CVE-2024-28960

VCID-e6dh-2rzv-aaaf

An issue was discovered in Mbed TLS 3.5.x before 3.6.0. When an SSL context was reset with the mbedtls_ssl_session_reset() API, the maximum TLS version to be negotiated was not restored to the configured one. An attacker was able to prevent an Mbed TLS server from establishing any TLS 1.3 connection, potentially resulting in a Denial of Service or forced version downgrade from TLS 1.3 to TLS 1.2.

CVE-2024-28755

VCID-evq7-upd8-aaag

An issue was discovered in Mbed TLS 2.x before 2.28.7 and 3.x before 3.5.2. There was a timing side channel in RSA private operations. This side channel could be sufficient for a local attacker to recover the plaintext. It requires the attacker to send a large number of messages for decryption, as described in "Everlasting ROBOT: the Marvin Attack" by Hubert Kario.

CVE-2024-23170

VCID-fhf5-dwz2-97g3

An issue was discovered in Mbed TLS before 2.28.9 and 3.x before 3.6.1, in which the user-selected algorithm is not used. Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled.

CVE-2024-45157

VCID-mrrz-dcph-pkh5

Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted certificates for arbitrary hostnames unless the TLS client application calls mbedtls_ssl_set_hostname.

CVE-2025-27809

VCID-nhkf-eraa-aaaa

Integer Overflow vulnerability in Mbed TLS 2.x before 2.28.7 and 3.x before 3.5.2, allows attackers to cause a denial of service (DoS) via mbedtls_x509_set_extension().

CVE-2024-23775

VCID-zrja-a9ut-c3dr

Mbed TLS before 2.28.10 and 3.x before 3.6.3, in some cases of failed memory allocation or hardware errors, uses uninitialized stack memory to compose the TLS Finished message, potentially leading to authentication bypasses such as replays.

CVE-2025-27810

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-06-22T01:27:36.235397+00:00	Debian Importer	Fixing	VCID-fhf5-dwz2-97g3	https://security-tracker.debian.org/tracker/data/json	36.1.3
2025-06-21T01:53:59.238542+00:00	Debian Importer	Fixing	VCID-zrja-a9ut-c3dr	https://security-tracker.debian.org/tracker/data/json	36.1.3
2025-06-20T22:46:40.504549+00:00	Debian Importer	Fixing	VCID-mrrz-dcph-pkh5	https://security-tracker.debian.org/tracker/data/json	36.1.3
2025-06-20T21:49:49.795592+00:00	Debian Importer	Fixing	VCID-nhkf-eraa-aaaa	https://security-tracker.debian.org/tracker/data/json	36.1.3
2025-06-20T20:50:58.831767+00:00	Debian Importer	Fixing	VCID-4tgq-m1es-aaar	https://security-tracker.debian.org/tracker/data/json	36.1.3
2025-06-20T20:05:45.576975+00:00	Debian Importer	Fixing	VCID-evq7-upd8-aaag	https://security-tracker.debian.org/tracker/data/json	36.1.3
2025-06-20T20:03:06.828968+00:00	Debian Importer	Fixing	VCID-e6dh-2rzv-aaaf	https://security-tracker.debian.org/tracker/data/json	36.1.3
2025-06-05T14:37:13.976741+00:00	Debian Importer	Fixing	VCID-4tgq-m1es-aaar	https://security-tracker.debian.org/tracker/data/json	36.1.0
2025-06-05T14:07:31.258872+00:00	Debian Importer	Fixing	VCID-evq7-upd8-aaag	https://security-tracker.debian.org/tracker/data/json	36.1.0
2025-06-05T14:06:04.953462+00:00	Debian Importer	Fixing	VCID-e6dh-2rzv-aaaf	https://security-tracker.debian.org/tracker/data/json	36.1.0
2025-04-10T04:26:59.133581+00:00	Debian Importer	Fixing	VCID-fhf5-dwz2-97g3	https://security-tracker.debian.org/tracker/data/json	36.0.0
2025-04-09T07:22:10.357089+00:00	Debian Importer	Fixing	VCID-zrja-a9ut-c3dr	https://security-tracker.debian.org/tracker/data/json	36.0.0
2025-04-09T02:39:37.905260+00:00	Debian Importer	Fixing	VCID-nhkf-eraa-aaaa	https://security-tracker.debian.org/tracker/data/json	36.0.0
2025-04-09T01:29:56.905287+00:00	Debian Importer	Fixing	VCID-4tgq-m1es-aaar	https://security-tracker.debian.org/tracker/data/json	36.0.0
2025-04-09T00:50:47.364506+00:00	Debian Importer	Fixing	VCID-evq7-upd8-aaag	https://security-tracker.debian.org/tracker/data/json	36.0.0
2025-04-09T00:49:00.216454+00:00	Debian Importer	Fixing	VCID-e6dh-2rzv-aaaf	https://security-tracker.debian.org/tracker/data/json	36.0.0
2025-04-07T06:23:19.064799+00:00	Debian Importer	Fixing	VCID-mrrz-dcph-pkh5	https://security-tracker.debian.org/tracker/data/json	36.0.0