CVE-2022-35409

An issue was discovered in Mbed TLS before 2.28.1 and 3.x before 3.2.0. In some configurations, an unauthenticated attacker can send an invalid ClientHello message to a DTLS server that causes a heap-based buffer over-read of up to 255 bytes. This can cause a server crash or possibly information disclosure based on error responses. Affected configurations have MBEDTLSSSLDTLSCLIENTPORTREUSE enabled and MBEDTLSSSLINCONTENTLEN less than a threshold that depends on the configuration: 258 bytes if using mbedtlssslcookiecheck, and possibly up to 571 bytes with a custom cookie check function.

References

Affected packages

Git / github.com/armmbed/mbedtls

Affected ranges

Type

GIT

Repo

https://github.com/armmbed/mbedtls

Events

Introduced

Fixed

dd79db10014d85b26d11fe57218431f2e5ede6f2

Introduced

8df2f8e7b9c7bb9390ac74bb7bace27edca81a2b

Fixed

3aef7670b78ddebf80f4ad38b9a0059d40021832

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.28.1"
        },
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.2.0"
        }
    ]
}

Affected versions

mbedtls-3.*

mbedtls-3.0.0

mbedtls-3.1.0

v3.*

v3.0.0

v3.1.0

Database specific

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "10.0"
            }
        ]
    }
]

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-35409.json"