CVE-2024-49195 – Mbed TLS versions 3.5.x through 3.6.x before 3.... (How to Fix)

Q: What is the severity of CVE-2024-49195?

CVE-2024-49195 has a CVSS score of 9.8 (CRITICAL). Mbed TLS versions 3.5.x through 3.6.x before 3.6.2 contain a buffer underrun vulnerability in the pkwrite function when writing opaque key pairs. This allows attackers to potentially execute arbitrary code or cause denial of service by writing beyond allocated memory boundaries. Any system using vulnerable Mbed TLS versions for cryptographic operations is affected.

📋 TL;DR

Mbed TLS versions 3.5.x through 3.6.x before 3.6.2 contain a buffer underrun vulnerability in the pkwrite function when writing opaque key pairs. This allows attackers to potentially execute arbitrary code or cause denial of service by writing beyond allocated memory boundaries. Any system using vulnerable Mbed TLS versions for cryptographic operations is affected.

💻 Affected Systems

Products:

Mbed TLS

Versions: 3.5.x through 3.6.x before 3.6.2

Operating Systems: All platforms using Mbed TLS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using opaque key pairs with pkwrite functionality. Applications not using this specific feature may not be vulnerable.

📦 What is this software?

Mbed Tls by Arm

View all CVEs affecting Mbed Tls →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, or persistent backdoor installation.

🟠

Likely Case

Application crash or denial of service affecting TLS/SSL functionality, potentially disrupting secure communications.

🟢

If Mitigated

Limited impact with proper memory protection mechanisms (ASLR, DEP) that may prevent code execution but still cause crashes.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Buffer underrun vulnerabilities typically require specific memory manipulation knowledge but CVSS 9.8 suggests significant exploit potential.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.6.2

Vendor Advisory: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-10-1/

Restart Required: Yes

Instructions:

1. Download Mbed TLS 3.6.2 from official repository. 2. Replace vulnerable version. 3. Recompile applications using Mbed TLS. 4. Restart affected services.

🔧 Temporary Workarounds

Disable opaque key pair usage

all

Avoid using pkwrite with opaque key pairs if possible in application code

Modify application source code to use alternative key formats

🧯 If You Can't Patch

Implement strict network segmentation to isolate vulnerable systems
Deploy memory protection controls (ASLR, DEP, stack canaries) to reduce exploit success

🔍 How to Verify

Check if Vulnerable:

Check Mbed TLS version with: mbedtls_version_check or examine library files

Check Version:

For compiled applications: strings binary_name | grep -i mbedtls

Verify Fix Applied:

Verify version is 3.6.2 or later and test pkwrite functionality with opaque keys

📡 Detection & Monitoring

Log Indicators:

Application crashes related to Mbed TLS
Memory access violation errors
TLS/SSL handshake failures

Network Indicators:

Abnormal termination of TLS connections
Unexpected network traffic patterns

SIEM Query:

source="application_logs" AND ("mbedtls" OR "TLS error") AND ("crash" OR "segmentation fault" OR "access violation")

📊 Metadata

CVE ID: CVE-2024-49195

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: October 15, 2024

Last Updated: May 6, 2025

🔗 References

https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-10-1/ Vendor Advisory
https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-49195, you might also want to check these: