PatchSiren cyber security CVE debrief
CVE-2026-25833 Mbed TLS CVE debrief
CVE-2026-25833 is a HIGH severity vulnerability in Mbed TLS, a cryptographic library. The vulnerability is caused by a buffer overflow in the x509_inet_pton_ipv6() function. It affects Mbed TLS versions from 3.5.0 to 3.6.5 and 4.0.0. The vulnerability was published on [cvePublishedAt] and last modified on [cveModifiedAt].
- Vendor
- Mbed TLS
- Product
- Mbed TLS
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-01
- Original CVE updated
- 2026-06-05
- Advisory published
- 2026-04-01
- Advisory updated
- 2026-06-05
Who should care
Users of Mbed TLS, especially those using versions 3.5.0 to 3.6.5 and 4.0.0, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is caused by a buffer overflow in the x509_inet_pton_ipv6() function in Mbed TLS. This function is used for parsing IPv6 addresses. The buffer overflow can be exploited remotely, allowing an attacker to potentially execute arbitrary code or cause a denial of service.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to Mbed TLS version 3.6.6 or 4.1.0, which fixes the vulnerability.
- Refer to [ref-4] and [ref-5] for vendor advisories and mitigation strategies.
Evidence notes
The vulnerability has a CVSS score of 7.5 and is classified as HIGH severity. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
Official resources
-
CVE-2026-25833 CVE record
CVE.org
-
CVE-2026-25833 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE-2026-25833 was published on 2026-04-01T19:16:28.530Z and last modified on 2026-06-05T19:38:32.047Z.