CVE-2022-46393

Name of the Vulnerable Software and Affected Versions Mbed TLS versions prior to 2.28.2 Mbed TLS versions 3.x prior to 3.3.0

Description A potential heap-based buffer overflow and heap-based buffer over-read exists in DTLS if MBEDTLS SSL DTLS CONNECTION ID is enabled and MBEDTLS SSL CID IN LEN MAX is greater than 2 times MBEDTLS SSL CID OUT LEN MAX. This issue can be exploited by a remote attacker to overwrite data in the buffer memory and potentially recover a closed RSA key.

Recommendations For Mbed TLS versions prior to 2.28.2, update to version 2.28.2 or later. For Mbed TLS versions 3.x prior to 3.3.0, update to version 3.3.0 or later. As a temporary workaround, consider disabling the MBEDTLS SSL DTLS CONNECTION ID feature until a patch is available. Restrict access to DTLS connections where MBEDTLS SSL CID IN LEN MAX is greater than 2 times MBEDTLS SSL CID OUT LEN MAX to minimize the risk of exploitation.