Mbed TLS documentation hub

Mbed TLS provides an open-source implementation of cryptographic primitives, X.509 certificate handling and the SSL/TLS and DTLS protocols. It provides a reference implementation of the PSA Cryptography API. The project also supports the PSA Cryptoprocessor Driver Interface which enables support for cryptoprocessor drivers. The small code footprint makes the project suitable for embedded systems. It has many users, including TF-A, TF-M and OP-TEE.

This documentation is undergoing continuous improvement over time to address gaps, etc. We welcome contributions!

For more information, see the following:

• GitHub repository

• Documentation GitHub repository

• Mbed TLS website

• PSA Crypto API specification

For questions and discussions:

• The Mbed TLS mailing list.

• The #mbed-tls channel on the TrustedFirmware Discord server - use the invite link to join.

Security vulnerabilities:

• Please see our process for reporting vulnerabilities.

Contents

• Getting Started
  • Downloading
  • Building
  • Using PSA
• API Reference
• Project
  • Roadmap
  • Long-term plans for Mbed TLS
  • External Trusted Reviewers
  • Security Vulnerability Processes
• Reviews
  • Guidelines for Contributors
  • Guidelines for Reviewers
  • PR Prioritisation
  • Gatekeeper Responsibilities
• Security Advisories
  • Signature Algorithm Injection (CVE-2026-25834)
  • Risk of insufficient protection of serialized session or context data leading to potential memory safety issues (CVE-2026-34877)
  • PSA random generator cloning (CVE-2026-25835)
  • Null pointer dereference when setting a distinguished name (CVE-2026-34874)
  • Buffer underflow in x509_inet_pton_ipv6() (CVE-2026-25833)
  • FFDH: lack of contributory behaviour due to improper input validation (CVE-2026-34872)
  • Buffer overflow in FFDH public key export (CVE-2026-34875)
  • Entropy on Linux can fall back to /dev/urandom (CVE-2026-34871)
  • Compiler-induced constant-time violations (CVE-2025-66442)
  • Client impersonation while resuming a TLS 1.3 session (CVE-2026-34873)
  • CCM multipart finish tag-length validation bypass (CVE-2026-34876)
  • Side channel in RSA key generation and operations (SSBleed, M-Step) (CVE-2025-54764)
  • Padding oracle through timing of cipher error reporting (CVE-2025-59438)
  • Misleading memory management in mbedtls_x509_string_to_names()
  • NULL pointer dereference after using mbedtls_asn1_store_named_data()
  • Timing side-channel in block cipher decryption with PKCS#7 padding
  • Out-of-bounds read in mbedtls_lms_import_public_key()
  • Unchecked return value in LMS verification allows signature bypass
  • Heap buffer under-read when parsing PEM-encrypted material
  • Race condition in AESNI support detection
  • Potential authentication bypass in TLS handshake
  • TLS clients may unwittingly skip server authentication
  • Buffer underrun in pkwrite when writing an opaque key pair
  • Limited authentication bypass in TLS 1.3 optional client authentication
  • Stack buffer overflow in ECDSA signature conversion functions
  • CTR_DRBG prioritized over HMAC_DRBG as the PSA DRBG
  • Insecure handling of shared memory in PSA Crypto APIs
  • Buffer overflow in mbedtls_x509_set_extension()
  • Timing side channel in private key RSA operations.
  • Buffer overflow in TLS handshake parsing with ECDH
  • Buffer overread in TLS stream cipher suites
  • Buffer overread in DTLS ClientHello parsing
  • Double Free in mbedtls_ssl_set_session() in an error case.
  • Local side channel attack on static Diffie-Hellman with Montgomery curves
  • Local side channel attack on RSA
  • Protocol weakness in DHE-PSK key exchange
  • Local side channel attack on RSA and static Diffie-Hellman
  • Local side channel attack on classical CBC decryption in (D)TLS
  • Side-channel attack on ECC key import and validation
  • Side channel attack on ECDSA
  • Cache attack against RSA key import in SGX
  • Side channel attack on ECDSA
  • Side channel attack on deterministic ECDSA
  • Mbed TLS Security Advisory 2018-03
  • Mbed TLS Security Advisory 2018-02
  • mbed TLS Security Advisory 2018-01
  • mbed TLS Security Advisory 2017-02
  • mbed TLS Security Advisory 2017-01
  • mbed TLS Security Advisory 2015-01
  • PolarSSL Security Advisory 2014-04
  • PolarSSL Security Advisory 2014-03
  • PolarSSL Security Advisory 2014-02
  • PolarSSL Security Advisory 2014-01
  • PolarSSL Security Advisory 2013-05
  • PolarSSL Security Advisory 2013-04
  • PolarSSL Security Advisory 2013-03
  • PolarSSL Security Advisory 2013-02
  • PolarSSL Security Advisory 2013-01
  • PolarSSL Security Advisory 2012-01
  • PolarSSL Security Advisory 2011-02
  • PolarSSL Security Advisory 2011-01
• Contributing to This Documentation
  • Making a Contribution
• Presentations
  • For contributors
• Knowledge Base
  • Attacks
  • Compiling and Building
  • Cryptography
  • Development
  • Generic
  • How to
  • Licensing
  • Testing Mbed TLS