CVE-2024-28755
6.5 MEDIUMAn issue was discovered in Mbed TLS 3.5.x before 3.6.0
Published: 2024-04-03 · Last updated: 2026-06-05
Severity and scoring
- CVSS
- 6.5 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
- CWE
- CWE-326
Affected products
| Vendor | Product |
|---|---|
| trustedfirmware | mbed_tls |
Description
An issue was discovered in Mbed TLS 3.5.x before 3.6.0. When an SSL context was reset with the mbedtls_ssl_session_reset() API, the maximum TLS version to be negotiated was not restored to the configured one. An attacker was able to prevent an Mbed TLS server from establishing any TLS 1.3 connection, potentially resulting in a Denial of Service or forced version downgrade from TLS 1.3 to TLS 1.2.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2024-28755
- [Other]https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.6.0
- [Other]https://github.com/hey3e
- [Other]https://hey3e.github.io
- [Vendor advisory]https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories/
- [Other]https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.6.0
- [Other]https://github.com/hey3e
- [Other]https://hey3e.github.io
- [Vendor advisory]https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories/
Related CVEs
Same vendor
- CVE-2026-45702 — OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using t... (4.4 MEDIUM)
- CVE-2026-45614 — OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using t... (4.7 MEDIUM)
- CVE-2026-40290 — OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using t... (7.8 HIGH)
- CVE-2026-33662 — OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using t... (7.5 HIGH)
- CVE-2026-33317 — OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using t... (8.7 HIGH)
Same CWE
- CVE-2026-41860 — CWE-326 in BOSH allows a local attacker to steal Basic-auth credentials or redirect UAA token requests via MITM (8.8 HIGH)
- CVE-2026-8878 — Version 3.0.7 of the Securly Chrome Extension exposes multiple publicly accessible endpoints that allow unauthenticated access to sensiti... (7.5 HIGH)
- CVE-2026-45787 — electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client (9.1 CRITICAL)
- CVE-2026-5363 — Inadequate Encryption Strength vulnerability in TP-Link Archer C7 v5 and v5.8 (uhttpd modules) allows Password Recovery Exploitation (8.8 HIGH)
- CVE-2020-7565 — A CWE-326: Inadequate Encryption Strength vulnerability exists in Modicon M221 (all references, all versions) that could allow the attack... (7.3 HIGH)