Double Free Vulnerability in Mbed TLS Affects Multiple Versions
CVE-2021-44732

9.8CRITICAL

Key Information:

Vendor: Arm
Status: Mbed Tls
Vendor: CVE Published:; 20 December 2021

Summary

A double free vulnerability exists in Mbed TLS versions before 3.0.1. This issue may be triggered under certain out-of-memory conditions, particularly exemplified by failures during SSL session management. If exploited, this vulnerability can lead to unexpected behavior or application crashes, thus potentially allowing unauthorized access or denial of service in applications relying on Mbed TLS. Users are advised to update to the latest versions to mitigate this risk.

References

https://github.com/ARMmbed/mbedtls/releases

https://tls.mbed.org/tech-updates/security-advisories/mbe...

https://bugs.gentoo.org/829660

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 20, 2021
Vulnerability Reserved
Dec 8, 2021