An issue was discovered in Mbed TLS 3.5.x before 3.6.0. When an SSL context was reset with the mbedtls_ssl_session_reset() API, the maximum TLS version to be negotiated was not restored to the configured one. An attacker was able to prevent an Mbed TLS server from establishing any TLS 1.3 connection, potentially resulting in a Denial of Service or forced version downgrade from TLS 1.3 to TLS 1.2.
References
Link | Resource |
---|---|
https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.6.0 | Release Notes |
https://github.com/hey3e | Not Applicable |
https://hey3e.github.io | Not Applicable |
https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories/ | Vendor Advisory |
https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.6.0 | Release Notes |
https://github.com/hey3e | Not Applicable |
https://hey3e.github.io | Not Applicable |
https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories/ | Vendor Advisory |
Configurations
History
10 Jun 2025, 00:41
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:* | |
References | () https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.6.0 - Release Notes | |
References | () https://github.com/hey3e - Not Applicable | |
References | () https://hey3e.github.io - Not Applicable | |
References | () https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories/ - Vendor Advisory | |
First Time |
Arm
Arm mbed Tls |
21 Nov 2024, 09:06
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.6.0 - | |
References | () https://github.com/hey3e - | |
References | () https://hey3e.github.io - | |
References | () https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories/ - |
06 Sep 2024, 20:35
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
CWE | CWE-326 |
03 Apr 2024, 12:38
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
03 Apr 2024, 03:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-04-03 03:15
Updated : 2025-06-10 00:41
NVD link : CVE-2024-28755
Mitre link : CVE-2024-28755
CVE.ORG link : CVE-2024-28755
JSON object : View
Products Affected
arm
- mbed_tls
CWE
CWE-326
Inadequate Encryption Strength