CVE-2026-34875
Published: 01 April 2026
Summary
CVE-2026-34875 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Arm Mbed Tls. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely identification, reporting, prioritization, and correction of flaws like the buffer overflow in Mbed TLS public key export for FFDH keys.
Implements memory protections such as address space layout randomization, non-executable stacks, and canaries that mitigate exploitation of buffer overflows.
Enables vulnerability scanning to identify systems using vulnerable versions of Mbed TLS or TF-PSA-Crypto affected by this CVE.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated buffer overflow in Mbed TLS (public-facing TLS/crypto library) directly enables exploitation of public-facing applications for arbitrary code execution.
NVD Description
An issue was discovered in Mbed TLS through 3.6.5 and TF-PSA-Crypto 1.0.0. A buffer overflow can occur in public key export for FFDH keys.
Deeper analysisAI
CVE-2026-34875 is a buffer overflow vulnerability (CWE-120) discovered in Mbed TLS versions through 3.6.5 and TF-PSA-Crypto 1.0.0. The issue arises during public key export for FFDH (Finite Field Diffie-Hellman) keys, where insufficient bounds checking can lead to a buffer overflow. It has been assigned a CVSS v3.1 base score of 9.8 (Critical), reflecting network accessibility (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction needed (UI:N), and unchanged scope (S:U) with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H).
Unauthenticated remote attackers can exploit this vulnerability over the network without user interaction. Successful exploitation could allow arbitrary code execution, data corruption, or denial of service, depending on the context in which the affected components are deployed, such as in TLS/SSL implementations or cryptographic libraries used in embedded systems, servers, or IoT devices.
Mitigation details are provided in the official Mbed TLS security advisories, available at https://mbed-tls.readthedocs.io/en/latest/security-advisories/ and specifically https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-ffdh-buffer-overflow/. Security practitioners should consult these for patch availability, upgrade instructions, and workarounds for vulnerable versions.
Details
- CWE(s)