Cyber Resilience

CVE-2026-34874

HighUpdated

Published: 01 April 2026

Published
01 April 2026
Modified
05 June 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0008 24.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34874 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Trustedfirmware Mbed Tls. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 24.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-34874 is a NULL pointer dereference vulnerability in Mbed TLS versions through 3.6.5 and 4.x through 4.0.0. The flaw occurs during distinguished name parsing, enabling an attacker to trigger a write to address 0. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-476 (NULL Pointer Dereference). The vulnerability was published on 2026-04-01T19:16:33.390.

A remote, unauthenticated attacker can exploit this over the network with low attack complexity and no user interaction. Exploitation results in high availability impact with no confidentiality or integrity effects, typically manifesting as a denial-of-service via process crash in applications using the affected Mbed TLS library for X.509 parsing.

The Mbed TLS security advisories provide mitigation guidance, available at https://mbed-tls.readthedocs.io/en/latest/security-advisories/ and specifically at https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-null-pointer-dereference-x509/.

EU & UK References

Vulnerability details

An issue was discovered in Mbed TLS through 3.6.5 and 4.x through 4.0.0. There is a NULL pointer dereference in distinguished name parsing that allows an attacker to write to address 0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

NULL pointer dereference in X.509 parsing enables remote unauthenticated exploitation causing application crash and denial of service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-25833Same product: Trustedfirmware Mbed Tls
CVE-2026-34873Same product: Trustedfirmware Mbed Tls
CVE-2026-34876Same product: Trustedfirmware Mbed Tls
CVE-2026-34875Same product: Trustedfirmware Mbed Tls
CVE-2026-33662Same vendor: Trustedfirmware
CVE-2026-40413Shared CWE-476
CVE-2025-57155Shared CWE-476
CVE-2026-28390Shared CWE-476
CVE-2026-23952Shared CWE-476
CVE-2025-57156Shared CWE-476

Affected Assets

trustedfirmware
mbed tls
4.0.0 · 3.5.0 — 3.6.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the NULL pointer dereference in Mbed TLS by identifying, reporting, prioritizing, and applying patches to vulnerable versions.

detect

Enables proactive detection of systems using vulnerable Mbed TLS versions through vulnerability scanning for CVE-2026-34874.

detect

Provides timely awareness of Mbed TLS security advisories for this NULL pointer dereference, enabling rapid flaw remediation.

References