PT-2021-6686 · Mbed Tls+2 · Mbed Tls+2
Published
2020-12-12
·
Updated
2025-08-21
·
CVE-2020-36478
CVSS v2.0
7.8
High
| Vector | AV:N/AC:L/Au:N/C:N/I:C/A:N |
Name of the Vulnerable Software and Affected Versions
Mbed TLS versions prior to 2.25.0
Mbed TLS versions prior to 2.16.9 LTS
Mbed TLS versions prior to 2.7.18 LTS
Description
The issue is related to an incorrect comparison of NULL with an empty array in the implementation of TLS and SSL protocols in Mbed TLS. This allows a remote attacker to compromise data integrity. The problem arises when a NULL algorithm parameters entry is mistaken for an array of size zero, causing a certificate to be considered valid even if the parameters do not match.
Recommendations
For Mbed TLS versions prior to 2.25.0, update to version 2.25.0 or later.
For Mbed TLS versions prior to 2.16.9 LTS, update to version 2.16.9 LTS or later.
For Mbed TLS versions prior to 2.7.18 LTS, update to version 2.7.18 LTS or later.
Exploit
Fix
Improper Certificate Validation
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Astra Linux
Mbed Tls