PT-2015-6835 · Arm+2 · Mbed Tls+3

Guido Vranken

Published

2015-11-02

Updated

2026-06-05

CVE-2015-5291

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions PolarSSL versions 1.x through 1.2.16 ARM mbed TLS (formerly PolarSSL) versions 1.3.x through 1.3.13 ARM mbed TLS (formerly PolarSSL) versions 2.x through 2.1.1

Description A heap-based buffer overflow issue exists, allowing remote SSL servers to cause a denial of service (client crash) and possibly execute arbitrary code. This occurs when a long hostname is sent to the server name indication (SNI) extension, which is not properly handled when creating a ClientHello message.

Recommendations For PolarSSL versions 1.x through 1.2.16, update to version 1.2.17 or later. For ARM mbed TLS (formerly PolarSSL) versions 1.3.x through 1.3.13, update to version 1.3.14 or later. For ARM mbed TLS (formerly PolarSSL) versions 2.x through 2.1.1, update to version 2.1.2 or later.

Fix

DoS

Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-119

Related Identifiers

ALT-PU-2015-1956

CVE-2015-5291

DLA-331-1

DSA-3468-1

MGASA-2016-0054

OPENSUSE-SU-2015_2257-1

OPENSUSE-SU-2024:10088-1

OPENSUSE-SU-2024:12903-1

Affected Products

Alt Linux

Polarssl

Suse

Mbed Tls

PT-2015-6835 · Arm+2 · Mbed Tls+3

CVE-2015-5291

Weakness Enumeration

Related Identifiers

Affected Products

References · 37