SB2026040205 - Multiple vulnerabilities in ARM TF-PSA-Crypto

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Use of insufficiently random values (CVE-ID: CVE-2026-34871)

The vulnerability allows a local user to compromise cryptographic operations by causing the use of predictable random data.

The vulnerability exists due to improper fallback to /dev/urandom in entropy collection on Linux when getrandom() is unavailable or blocked. A local user can control the system state or restrict access to getrandom() to force the use of /dev/urandom during early boot, leading to insufficient entropy and predictable cryptographic outputs.

Devices without hardware random number generators are especially at risk during initial boot or OS installation. The issue affects Linux platforms where getrandom() is not available (kernel <3.17), blocked by sandboxing, or not supported by the C library.

2) Buffer overflow (CVE-ID: CVE-2026-34875)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper input validation in the psa_export_public_key() function when processing FFDH public key export requests. A remote attacker can send a specially crafted request with a small output buffer to cause memory corruption and potentially execute arbitrary code.

Applications exporting public keys for algorithms other than FFDH are not affected.

3) Improper input validation (CVE-ID: CVE-2026-34872)

The vulnerability allows a remote attacker to force the FFDH shared secret into a small set of values.

The vulnerability exists due to improper input validation in the FFDH key agreement component when processing a peer's public key during key agreement using PSA_ALG_FFDH. A remote attacker can send a specially crafted public key to force the FFDH shared secret into a small set of values.

Applications are only affected if they use the PSA API to perform FFDH as part of a larger protocol that expects contributory behaviour from FFDH. TLS 1.2 and TLS 1.3 are not affected due to protocol-level protections.

4) Use of insufficiently random values (CVE-ID: CVE-2026-25835)

The vulnerability allows a local user to obtain predictable random numbers.

The vulnerability exists due to insufficient randomness in the PSA random generator when application state is cloned. A local user can exploit system or application cloning scenarios such as fork(), VM cloning, or hibernation resume to cause multiple instances to generate identical random outputs, enabling prediction of cryptographic keys and nonces.

Applications that use the PSA random generator are affected when the system or application state is cloned without reseeding the generator. This includes scenarios such as fork() on Unix-like systems, virtual machine cloning, and resuming hibernation images multiple times.

Remediation

Install update from vendor's website.

References

• https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-dev-random/
• https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-ffdh-buffer-overflow/
• https://arm-software.github.io/psa-api/crypto/1.0/api/keys/management.html#c.PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE
• https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-ffdh-peerkey-checks/
• https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-rng-cloning/
• https://mbed-tls.readthedocs.io/en/latest/kb/how-to/random_generator_cloning/