CVE-2025-27810

NameCVE-2025-27810
DescriptionMbed TLS before 2.28.10 and 3.x before 3.6.3, in some cases of failed memory allocation or hardware errors, uses uninitialized stack memory to compose the TLS Finished message, potentially leading to authentication bypasses such as replays.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1101499

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mbedtls (PTS)bullseye2.16.9-0.1vulnerable
bullseye (security)2.16.9-0.1+deb11u1vulnerable
bookworm2.28.3-1vulnerable
trixie, sid3.6.4-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mbedtlssource(unstable)3.6.3-11101499

Notes

[bookworm] - mbedtls <no-dsa> (Minor issue)
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-2/
Search for package or bug name: Reporting problems