Login Sign Up

CVE-2024-30166

9.1 CRITICAL
Denial of Service Buffer Overflow

📋 TL;DR

A malicious client can exploit a stack buffer over-read vulnerability in Mbed TLS 3.3.0 through 3.5.2 to cause information disclosure or denial of service against TLS 1.3 servers. This affects any system using vulnerable Mbed TLS versions as a TLS server component. The vulnerability is triggered via a specially crafted TLS 1.3 ClientHello message.

💻 Affected Systems

Products:
  • Mbed TLS
Versions: 3.3.0 through 3.5.2
Operating Systems: All platforms running Mbed TLS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects TLS 1.3 servers. TLS clients and other TLS versions are not vulnerable.

📦 What is this software?

Mbed Tls by Arm

View all CVEs affecting Mbed Tls →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise leading to sensitive information disclosure, credential theft, and persistent backdoor installation.

🟠

Likely Case

Server crash causing denial of service, potentially leaking up to 256 bytes of stack memory containing sensitive data.

🟢

If Mitigated

Limited impact with proper network segmentation and intrusion prevention systems blocking malicious traffic.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires network access to the TLS server but no authentication. The vulnerability is in the protocol handling code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.6.0

Vendor Advisory: https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories/

Restart Required: Yes

Instructions:

1. Download Mbed TLS 3.6.0 from official repository. 2. Replace vulnerable version with patched version. 3. Recompile and reinstall if using source. 4. Restart all services using Mbed TLS.

🔧 Temporary Workarounds

Disable TLS 1.3

all

Temporarily disable TLS 1.3 support to prevent exploitation while patching

Configure server to only support TLS 1.2 or earlier

Network Filtering

all

Use network controls to block malicious ClientHello patterns

Configure WAF/IPS to detect and block abnormal TLS handshakes

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate vulnerable servers
  • Deploy intrusion prevention systems with TLS protocol anomaly detection

🔍 How to Verify

Check if Vulnerable:

Check Mbed TLS version: mbedtls_version_get_string() or check package version. If version is between 3.3.0 and 3.5.2 inclusive, system is vulnerable.

Check Version:

mbedtls_version_get_string() or check installed package version via system package manager

Verify Fix Applied:

Verify Mbed TLS version is 3.6.0 or higher. Test TLS 1.3 connectivity remains functional.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected server crashes
  • Abnormal TLS handshake failures
  • Memory access violation logs

Network Indicators:

  • Malformed TLS 1.3 ClientHello packets
  • Unusual traffic patterns to TLS ports

SIEM Query:

source="*tls*" AND (event="crash" OR event="access_violation") AND version="3.3.0-3.5.2"

📊 Metadata

CVE ID: CVE-2024-30166
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CWE: CWE-121
Published: April 3, 2024
Last Updated: June 27, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-30166, you might also want to check these:

CVE-2024-39791 10.0

CVE-2024-39791 is a critical stack-based buffer overflow vulnerability in Vonets industrial WiFi bri...

Same vulnerability type (CWE-121)
CVE-2022-20699 10.0

This critical vulnerability in Cisco Small Business routers allows unauthenticated remote attackers ...

Same vulnerability type (CWE-121)
CVE-2022-20701 10.0

This CVE describes multiple critical vulnerabilities in Cisco Small Business RV series routers that ...

Same vulnerability type (CWE-121)