CVE-2025-27810 MEDIUM

CVE-2025-27810

Vendor Mbed
Product mbedtls
Weakness CWE-908
Published March 25, 2025
Last update March 25, 2025

CVSS base score

5.4/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Mbed TLS before 2.28.10 and 3.x before 3.6.3, in some cases of failed memory allocation or hardware errors, uses uninitialized stack memory to compose the TLS Finished message, potentially leading to authentication bypasses such as replays.

Key dates

02Disclosure timeline

March 25, 2025 CVE published
March 25, 2025 Record updated