Search for vulnerabilities
| Vulnerability ID | VCID-p6yu-3gyw-f3e1 |
| Aliases |
CVE-2022-35409
|
| Summary | An issue was discovered in Mbed TLS before 2.28.1 and 3.x before 3.2.0. In some configurations, an unauthenticated attacker can send an invalid ClientHello message to a DTLS server that causes a heap-based buffer over-read of up to 255 bytes. This can cause a server crash or possibly information disclosure based on error responses. Affected configurations have MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE enabled and MBEDTLS_SSL_IN_CONTENT_LEN less than a threshold that depends on the configuration: 258 bytes if using mbedtls_ssl_cookie_check, and possibly up to 571 bytes with a custom cookie check function. |
| Status | Published |
| Exploitability | 0.5 |
| Weighted Severity | 8.2 |
| Risk | 4.1 |
| Affected and Fixed Packages | Package Details |
| CWE-125 | Out-of-bounds Read |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Percentile | 0.65822 |
| EPSS Score | 0.00519 |
| Published At | July 30, 2025, 12:55 p.m. |
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2025-07-31T08:32:39.542964+00:00 | Alpine Linux Importer | Import | https://secdb.alpinelinux.org/v3.22/main.json | 37.0.0 |