Mbed TLS documentation hub
Mbed TLS provides an open-source implementation of cryptographic primitives, X.509 certificate handling and the SSL/TLS and DTLS protocols. It provides a reference implementation of the PSA Cryptography API. The project also supports the PSA Cryptoprocessor Driver Interface which enables support for cryptoprocessor drivers. The small code footprint makes the project suitable for embedded systems. It has many users, including TF-A, TF-M and OP-TEE.
This documentation is undergoing continuous improvement over time to address gaps, etc. We welcome contributions!
For more information, see the following:
For questions and discussions:
The
#mbed-tlschannel on the TrustedFirmware Discord server - use the invite link to join.
Security vulnerabilities:
Please see our process for reporting vulnerabilities.
Contents
- Getting Started
- API Reference
- Project
- Reviews
- Security Advisories
- Out-of-bounds read when parsing a zero-length ECC public key (CVE-2026-50583)
- X.509 CA bit forgery via invalid basicConstraints extension (CVE-2026-49300)
- Use-after-free in mbedtls_pkcs7_free() when reusing a PKCS7 context (CVE-2026-50579)
- TLS 1.3 client accepts HelloRetryRequest selecting an unadvertised group (CVE-2026-25832)
- TLS 1.3 early data integrity failure due to buffered plaintext across key change (CVE-2026-TODO)
- Information disclosure in TLS 1.2 NewSessionTicket (CVE-2026-50586)
- Out-of-bounds read in TLS 1.2 EC J-PAKE ServerKeyExchange parsing (CVE-2026-50588)
- Remote buffer overflow in TLS 1.2 ECDHE-PSK client handshake (CVE-2026-50580)
- Incomplete context reset in mbedtls_ssl_session_reset() (CVE-2026-50585)
- Signature algorithm restrictions not enforced on certificate chain (CVE-2026-54441)
- Timing side-channel in RSA PKCS#1 v1.5 decryption (CVE-2026-50587)
- A random generator fault can compromise TLS data integrity (CVE-TODO)
- Possible buffer overflow in
mbedtls_ecdh_calc_secret()(CVE-2026-35336) - PKCS7 signed data verification accepts weak hash algorithms
- Ignored TLS 1.3 resumption secret derivation error (CVE-2026-50640)
- Heap corruption with early renegotiation after corrupted record in DTLS (CVE-2026-50713)
- Extended master secret calculation failure ignored (CVE-2026-50581)
- Everest: lack of contributory behaviour due to improper input validation (CVE-2026-54434)
- Side channel leak in ECC optimized modp (CVE-2026-54435)
- ChaCha20 counter overflow can reuse keystream (CVE-2026-50584)
- Signature Algorithm Injection (CVE-2026-25834)
- Risk of insufficient protection of serialized session or context data leading to potential memory safety issues (CVE-2026-34877)
- PSA random generator cloning (CVE-2026-25835)
- Null pointer dereference when setting a distinguished name (CVE-2026-34874)
- Buffer underflow in
x509_inet_pton_ipv6()(CVE-2026-25833) - FFDH: lack of contributory behaviour due to improper input validation (CVE-2026-34872)
- Buffer overflow in FFDH public key export (CVE-2026-34875)
- Entropy on Linux can fall back to /dev/urandom (CVE-2026-34871)
- Compiler-induced constant-time violations (CVE-2025-66442)
- Client impersonation while resuming a TLS 1.3 session (CVE-2026-34873)
- CCM multipart finish tag-length validation bypass (CVE-2026-34876)
- Side channel in RSA key generation and operations (SSBleed, M-Step) (CVE-2025-54764)
- Padding oracle through timing of cipher error reporting (CVE-2025-59438)
- Misleading memory management in
mbedtls_x509_string_to_names() - NULL pointer dereference after using
mbedtls_asn1_store_named_data() - Timing side-channel in block cipher decryption with PKCS#7 padding
- Out-of-bounds read in mbedtls_lms_import_public_key()
- Unchecked return value in LMS verification allows signature bypass
- Heap buffer under-read when parsing PEM-encrypted material
- Race condition in AESNI support detection
- Potential authentication bypass in TLS handshake
- TLS clients may unwittingly skip server authentication
- Buffer underrun in pkwrite when writing an opaque key pair
- Limited authentication bypass in TLS 1.3 optional client authentication
- Stack buffer overflow in ECDSA signature conversion functions
- CTR_DRBG prioritized over HMAC_DRBG as the PSA DRBG
- Insecure handling of shared memory in PSA Crypto APIs
- Buffer overflow in mbedtls_x509_set_extension()
- Timing side channel in private key RSA operations.
- Buffer overflow in TLS handshake parsing with ECDH
- Buffer overread in TLS stream cipher suites
- Buffer overread in DTLS ClientHello parsing
- Double Free in
mbedtls_ssl_set_session()in an error case. - Local side channel attack on static Diffie-Hellman with Montgomery curves
- Local side channel attack on RSA
- Protocol weakness in DHE-PSK key exchange
- Local side channel attack on RSA and static Diffie-Hellman
- Local side channel attack on classical CBC decryption in (D)TLS
- Side-channel attack on ECC key import and validation
- Side channel attack on ECDSA
- Cache attack against RSA key import in SGX
- Side channel attack on ECDSA
- Side channel attack on deterministic ECDSA
- Mbed TLS Security Advisory 2018-03
- Mbed TLS Security Advisory 2018-02
- mbed TLS Security Advisory 2018-01
- mbed TLS Security Advisory 2017-02
- mbed TLS Security Advisory 2017-01
- mbed TLS Security Advisory 2015-01
- PolarSSL Security Advisory 2014-04
- PolarSSL Security Advisory 2014-03
- PolarSSL Security Advisory 2014-02
- PolarSSL Security Advisory 2014-01
- PolarSSL Security Advisory 2013-05
- PolarSSL Security Advisory 2013-04
- PolarSSL Security Advisory 2013-03
- PolarSSL Security Advisory 2013-02
- PolarSSL Security Advisory 2013-01
- PolarSSL Security Advisory 2012-01
- PolarSSL Security Advisory 2011-02
- PolarSSL Security Advisory 2011-01
- Contributing to This Documentation
- Presentations
- Knowledge Base