CVE-2026-25833
Published: 01 April 2026
Summary
CVE-2026-25833 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Arm Mbed Tls. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 16.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the buffer overflow vulnerability in Mbed TLS by requiring timely application of vendor patches such as versions 3.6.6 or 4.1.0.
Implements memory protection mechanisms like stack canaries and ASLR that directly mitigate stack-based buffer overflows during IPv6 address parsing in X.509 processing.
Requires validation of IPv6 inputs to X.509 certificate processing as an interim measure to block malformed data that triggers the x509_inet_pton_ipv6() overflow.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in X.509 IPv6 parsing enables remote unauthenticated exploitation that crashes the application (C:N/I:N/A:H), directly matching application/system exploitation for endpoint DoS.
NVD Description
Mbed TLS 3.5.0 to 3.6.5 fixed in 3.6.6 and 4.1.0 has a buffer overflow in the x509_inet_pton_ipv6() function
Deeper analysisAI
CVE-2026-25833 is a stack-based buffer overflow vulnerability (CWE-121) in the x509_inet_pton_ipv6() function within Mbed TLS versions 3.5.0 through 3.6.5. This flaw affects the cryptographic library's handling of IPv6 address parsing in X.509 certificate processing, potentially leading to memory corruption. The vulnerability was publicly disclosed on April 1, 2026, and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to its impact on availability.
Unauthenticated attackers with network access can exploit this vulnerability remotely with low complexity and no user interaction required. By sending a specially crafted input to a targeted Mbed TLS implementation—such as during TLS handshake or certificate validation—they can trigger the buffer overflow, causing a denial-of-service condition through application crashes or service disruption. The unchanged scope means the impact is confined to the vulnerable component, with no direct confidentiality or integrity violations.
Mbed TLS vendors have addressed the issue in versions 3.6.6 and 4.1.0, recommending immediate upgrades for affected systems. Official security advisories, available at https://mbed-tls.readthedocs.io/en/latest/security-advisories/ and the specific advisory at https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-inet-pton/, detail the patch changes and urge validation of IPv6 parsing inputs as an interim measure where patching is delayed.
Details
- CWE(s)