CVE-2024-30166

Name of the Vulnerable Software and Affected Versions Mbed TLS versions 3.3.0 through 3.5.2

Description A malicious client can cause information disclosure or a denial of service due to a stack buffer over-read in a TLS 1.3 server via a TLS 3.1 ClientHello. This occurs because of a buffer over-read of less than 256 bytes.

Recommendations For Mbed TLS versions 3.3.0 through 3.5.2, update to version 3.6.0 or later to resolve the issue. As a temporary workaround, consider restricting access to TLS 1.3 servers to minimize the risk of exploitation. Avoid using the TLS 3.1 ClientHello in the affected API endpoint until the issue is resolved.