#VU124804 Buffer overflow in mbed TLS - CVE-2026-34875
Published: April 2, 2026
Vulnerability identifier: #VU124804
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-34875
CWE-ID: CWE-120
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
mbed TLS
mbed TLS
Software vendor:
ARM
ARM
Description
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation in the psa_export_public_key() function when processing FFDH public key export requests. A remote attacker can send a specially crafted request with a small output buffer to cause memory corruption and potentially execute arbitrary code.
Applications exporting public keys for algorithms other than FFDH are not affected.
Remediation
Install security update from vendor's website.