#VU124853 Insufficient verification of data authenticity in mbed TLS - CVE-2026-34877
Published: April 2, 2026
Vulnerability identifier: #VU124853
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-34877
CWE-ID: CWE-345
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
mbed TLS
mbed TLS
Software vendor:
ARM
ARM
Description
The vulnerability allows a remote attacker to cause memory corruption or a denial of service.
The vulnerability exists due to insufficient integrity protection in TLS session or context deserialization when restoring serialized TLS state from a modified or corrupted buffer. A remote attacker can modify serialized session or context data to cause memory corruption or a denial of service.
This affects Mbed TLS versions that support session or context serialization if serialized data can be accessed or modified by an attacker. The advisory states that deserialization of tampered state may result in out-of-bounds reads or writes or other undefined behavior while restoring TLS structures.
Remediation
Install security update from vendor's website.