CVE-2024-28755

Name of the Vulnerable Software and Affected Versions Mbed TLS versions 3.5.x through 3.5.x before 3.6.0 Mbed TLS versions prior to 3.6.0

Description An issue was discovered in Mbed TLS when an SSL context was reset with the mbedtls ssl session reset() API, the maximum TLS version to be negotiated was not restored to the configured one. An attacker was able to prevent an Mbed TLS server from establishing any TLS 1.3 connection, potentially resulting in a Denial of Service or forced version downgrade from TLS 1.3 to TLS 1.2.

Recommendations For Mbed TLS versions prior to 3.6.0, update to version 3.6.0 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the mbedtls ssl session reset() API until a patch is available.