Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.8
CVE-2025-27810: Mbed TLS: Uninitialized Data in TLS Messages Can Bypass Authentication
CVE-2025-27810
Summary
An issue in some versions of Mbed TLS can cause authentication to be bypassed. This is because the software uses memory that hasn't been properly cleaned up, potentially allowing hackers to intercept and reuse secure messages. To stay secure, update to the latest version of Mbed TLS, version 2.28.10 or 3.6.3 and later.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions |
|---|---|---|
| arm | mbed_tls |
< 2.28.10 >= 3.0.0, < 3.6.3 cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:* |
Original title
Mbed TLS before 2.28.10 and 3.x before 3.6.3, in some cases of failed memory allocation or hardware errors, uses uninitialized stack memory to compose the TLS Finished message, potentially leading ...
Original description
Mbed TLS before 2.28.10 and 3.x before 3.6.3, in some cases of failed memory allocation or hardware errors, uses uninitialized stack memory to compose the TLS Finished message, potentially leading to authentication bypasses such as replays.
nvd CVSS3.1
4.8
Vulnerability type
CWE-908
Use of Uninitialized Resource
Published: 25 Mar 2025 · Updated: 15 Jun 2026 · First seen: 7 Mar 2026