Input Validation Flaw in Mbed TLS Affects Secure Communications
CVE-2026-34872

9.1CRITICAL

Key Information:

Vendor: Arm
Status: Mbed TLS
Vendor: CVE Published:; 1 April 2026

What is CVE-2026-34872?

An issue exists in Mbed TLS versions 3.5.x and 3.6.x through 3.6.5, along with TF-PSA-Crypto 1.0, due to improper input validation during finite-field Diffie-Hellman (FFDH) operations. This lack of contributory behavior can allow a malicious peer or an active network attacker to manipulate the shared secret, restricting it to a limited set of values. Such vulnerabilities can compromise the integrity of encryption protocols that rely on contributory key agreement, potentially leading to security breaches in affected applications.

References

https://mbed-tls.readthedocs.io/en/latest/security-adviso...

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 1, 2026
Vulnerability Reserved
Mar 31, 2026

CVE-2026-34872 Data

JSON

Arm

What is CVE-2026-34872?

References

CVSS V3.1

Timeline