Cyber Resilience

CVE-2026-25833

HighUpdated

Published: 01 April 2026

Published
01 April 2026
Modified
05 June 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0006 17.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25833 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Trustedfirmware Mbed Tls. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 17.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25833 is a stack-based buffer overflow vulnerability (CWE-121) in the x509_inet_pton_ipv6() function within Mbed TLS versions 3.5.0 through 3.6.5. This flaw affects the cryptographic library's handling of IPv6 address parsing in X.509 certificate processing, potentially leading to memory corruption. The vulnerability was publicly disclosed on April 1, 2026, and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to its impact on availability.

Unauthenticated attackers with network access can exploit this vulnerability remotely with low complexity and no user interaction required. By sending a specially crafted input to a targeted Mbed TLS implementation—such as during TLS handshake or certificate validation—they can trigger the buffer overflow, causing a denial-of-service condition through application crashes or service disruption. The unchanged scope means the impact is confined to the vulnerable component, with no direct confidentiality or integrity violations.

Mbed TLS vendors have addressed the issue in versions 3.6.6 and 4.1.0, recommending immediate upgrades for affected systems. Official security advisories, available at https://mbed-tls.readthedocs.io/en/latest/security-advisories/ and the specific advisory at https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-inet-pton/, detail the patch changes and urge validation of IPv6 parsing inputs as an interim measure where patching is delayed.

EU & UK References

Vulnerability details

Mbed TLS 3.5.0 to 3.6.5 fixed in 3.6.6 and 4.1.0 has a buffer overflow in the x509_inet_pton_ipv6() function

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Stack-based buffer overflow in X.509 IPv6 parsing enables remote unauthenticated exploitation that crashes the application (C:N/I:N/A:H), directly matching application/system exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-34874Same product: Trustedfirmware Mbed Tls
CVE-2026-34876Same product: Trustedfirmware Mbed Tls
CVE-2026-34873Same product: Trustedfirmware Mbed Tls
CVE-2026-34875Same product: Trustedfirmware Mbed Tls
CVE-2026-33662Same vendor: Trustedfirmware
CVE-2020-37198Shared CWE-121
CVE-2019-25328Shared CWE-121
CVE-2025-1758Shared CWE-121
CVE-2026-36837Shared CWE-121
CVE-2019-25340Shared CWE-121

Affected Assets

trustedfirmware
mbed tls
4.0.0 · 3.5.0 — 3.6.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the buffer overflow vulnerability in Mbed TLS by requiring timely application of vendor patches such as versions 3.6.6 or 4.1.0.

prevent

Implements memory protection mechanisms like stack canaries and ASLR that directly mitigate stack-based buffer overflows during IPv6 address parsing in X.509 processing.

prevent

Requires validation of IPv6 inputs to X.509 certificate processing as an interim measure to block malformed data that triggers the x509_inet_pton_ipv6() overflow.

References