SB2026040204 - Multiple vulnerabilities in ARM mbed TLS
Published: April 2, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 secuirty vulnerabilities.
1) Improper access control (CVE-ID: CVE-2026-25834)
The vulnerability allows a remote attacker to bypass security policies.
The vulnerability exists due to improper access control in the TLS 1.2 signature algorithm negotiation component when processing server responses during handshake. A remote attacker can send a specially crafted server response to cause the client to accept a signature algorithm not previously advertised in the client hello, leading to a security policy bypass.
The issue affects only TLS 1.2 connections and occurs when the server ignores the signature algorithms extension sent by the client. The client fails to enforce the configured policy via mbedtls_ssl_conf_sig_algs().
2) Use of insufficiently random values (CVE-ID: CVE-2026-25835)
The vulnerability allows a local user to obtain predictable random numbers.
The vulnerability exists due to insufficient randomness in the PSA random generator when application state is cloned. A local user can exploit system or application cloning scenarios such as fork(), VM cloning, or hibernation resume to cause multiple instances to generate identical random outputs, enabling prediction of cryptographic keys and nonces.
Applications that use the PSA random generator are affected when the system or application state is cloned without reseeding the generator. This includes scenarios such as fork() on Unix-like systems, virtual machine cloning, and resuming hibernation images multiple times.
3) NULL pointer dereference (CVE-ID: CVE-2026-34874)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper memory management in the function mbedtls_x509_string_to_names() when processing user-supplied distinguished names. A remote attacker can cause a memory allocation failure during the execution of mbedtls_x509_string_to_names() to trigger a null pointer dereference, leading to arbitrary code execution on systems without memory protection at address 0.
On platforms with memory protection, this may result in a segmentation fault or denial of service instead of code execution.
4) Buffer underflow (CVE-ID: CVE-2026-25833)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in x509_inet_pton_ipv6() when parsing IPv6 address input. A remote attacker can send a specially crafted IPv6 address string to cause a buffer underread of up to 4 bytes, potentially leading to a denial of service.
In rare cases, the buffer underread may cross a page boundary and trigger a memory access violation, resulting in a crash.
5) Improper input validation (CVE-ID: CVE-2026-34872)
The vulnerability allows a remote attacker to force the FFDH shared secret into a small set of values.
The vulnerability exists due to improper input validation in the FFDH key agreement component when processing a peer's public key during key agreement using PSA_ALG_FFDH. A remote attacker can send a specially crafted public key to force the FFDH shared secret into a small set of values.
Applications are only affected if they use the PSA API to perform FFDH as part of a larger protocol that expects contributory behaviour from FFDH. TLS 1.2 and TLS 1.3 are not affected due to protocol-level protections.
6) Buffer overflow (CVE-ID: CVE-2026-34875)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation in the psa_export_public_key() function when processing FFDH public key export requests. A remote attacker can send a specially crafted request with a small output buffer to cause memory corruption and potentially execute arbitrary code.
Applications exporting public keys for algorithms other than FFDH are not affected.
7) Use of insufficiently random values (CVE-ID: CVE-2026-34871)
The vulnerability allows a local user to compromise cryptographic operations by causing the use of predictable random data.
The vulnerability exists due to improper fallback to /dev/urandom in entropy collection on Linux when getrandom() is unavailable or blocked. A local user can control the system state or restrict access to getrandom() to force the use of /dev/urandom during early boot, leading to insufficient entropy and predictable cryptographic outputs.
Devices without hardware random number generators are especially at risk during initial boot or OS installation. The issue affects Linux platforms where getrandom() is not available (kernel <3.17), blocked by sandboxing, or not supported by the C library.
8) Improper Authentication (CVE-ID: CVE-2026-34873)
The vulnerability allows a remote attacker to impersonate a legitimate client during TLS session resumption.
The vulnerability exists due to improper session validation in the TLS 1.3 session resumption mechanism when handling a downgrade from TLS 1.3 to TLS 1.2 after a HelloRetryRequest. A remote attacker can intercept the HelloRetryRequest and send a specially crafted ClientHello that negotiates TLS 1.2 to impersonate a legitimate client and bypass authentication mechanisms.
The server incorrectly proceeds to resume a TLS 1.2 session using an all-zero master secret, potentially allowing the attacker to inherit application-level privileges if session tickets encode authorization data.
9) Out-of-bounds read (CVE-ID: CVE-2026-34876)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper input validation in the CCM implementation (library/ccm.c) when processing the tag_len parameter in mbedtls_ccm_finish(). A remote attacker can send a specially crafted request with an oversized tag_len value to trigger an out-of-bounds read and disclose adjacent memory within the CCM context structure.
Exploitation requires the ability to invoke the multipart CCM API with controlled parameters. The vulnerability does not permit memory modification or direct code execution.
Remediation
Install update from vendor's website.
References
- https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-sigalg-injection/
- https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-rng-cloning/
- https://mbed-tls.readthedocs.io/en/latest/kb/how-to/random_generator_cloning/
- https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-null-pointer-dereference-x509/
- https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-inet-pton/
- https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-ffdh-peerkey-checks/
- https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-ffdh-buffer-overflow/
- https://arm-software.github.io/psa-api/crypto/1.0/api/keys/management.html#c.PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE
- https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-dev-random/
- https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-client-impersonation-while-resuming-tls13-session/
- https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-ccm-finish-boundary-check/