CVE-2026-34877

Critical

Published: 02 April 2026

Published

02 April 2026

Modified

06 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0022 44.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

An issue was discovered in Mbed TLS versions from 2.19.0 up to 3.6.5, Mbed TLS 4.0.0. Insufficient protection of serialized SSL context or session structures allows an attacker who can modify the serialized structures to induce memory corruption, leading to…

arbitrary code execution. This is caused by Incorrect Use of Privileged APIs.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates identification, reporting, and correction of flaws like the serialization vulnerability in Mbed TLS through timely patching.

SI-16 Memory Protection good match

prevent

Implements memory protection mechanisms such as DEP and ASLR to prevent arbitrary code execution resulting from memory corruption induced by modified serialized SSL structures.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Enables ongoing vulnerability scanning to identify systems using vulnerable Mbed TLS versions affected by CVE-2026-34877.

Security SummaryAI

CVE-2026-34877 is a critical vulnerability affecting Mbed TLS cryptographic library versions from 2.19.0 up to 3.6.5, as well as version 4.0.0. The flaw stems from insufficient protection of serialized SSL context or session structures due to incorrect use of privileged APIs (CWE-250, CWE-502). This allows an attacker with the ability to modify these serialized structures to induce memory corruption, potentially leading to arbitrary code execution.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), making it exploitable remotely over the network by unauthenticated attackers with low complexity and no user interaction required. Successful exploitation enables full compromise of the affected system through memory corruption and arbitrary code execution, granting high-impact access to confidentiality, integrity, and availability.

Mitigation guidance is detailed in the official Mbed TLS security advisories at https://mbed-tls.readthedocs.io/en/latest/security-advisories/ and the specific advisory at https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-serialized-data/, published around April 2026. Security practitioners should review these for patch availability, upgrade recommendations, and any interim workarounds to protect deployments using vulnerable Mbed TLS versions.

Details

CWE(s): CWE-250 CWE-502

Affected Products

arm

mbed tls

4.0.0 · 2.19.0 — 3.6.6

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2026-34877 enables remote unauthenticated exploitation of public-facing applications using vulnerable Mbed TLS library via memory corruption in serialized SSL structures, leading to arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://mbed-tls.readthedocs.io/en/latest/security-advisories/
Vendor Advisory · cve@mitre.org
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-serialized-data/
Vendor Advisory · cve@mitre.org