{"api_version":"1","generated_at":"2026-06-20T09:25:11+00:00","cve":"CVE-2025-27810","urls":{"html":"https://cve.report/CVE-2025-27810","api":"https://cve.report/api/cve/CVE-2025-27810.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2025-27810","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2025-27810"},"summary":{"title":"CVE-2025-27810","description":"Mbed TLS before 2.28.10 and 3.x before 3.6.3, in some cases of failed memory allocation or hardware errors, uses uninitialized stack memory to compose the TLS Finished message, potentially leading to authentication bypasses such as replays.","state":"PUBLISHED","assigner":"mitre","published_at":"2025-03-25 06:15:41","updated_at":"2026-06-05 19:38:32"},"problem_types":["CWE-908","CWE-908 CWE-908 Use of Uninitialized Resource"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"4.8","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N","baseScore":4.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"cve@mitre.org","type":"Secondary","score":"5.4","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"5.4","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N","data":{"baseScore":5.4,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N","version":"3.1"}}],"references":[{"url":"https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-2/","name":"https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-2/","refsource":"cve@mitre.org","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/Mbed-TLS/mbedtls/releases","name":"https://github.com/Mbed-TLS/mbedtls/releases","refsource":"cve@mitre.org","tags":["Release Notes"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-27810","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27810","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Mbed","product":"mbedtls","version":"affected 2.28.10 semver","platforms":[]},{"source":"CNA","vendor":"Mbed","product":"mbedtls","version":"affected 3.0.0 3.6.3 semver","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2025","cve_id":"27810","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"arm","cpe5":"mbed_tls","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"27810","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"trustedfirmware","cpe5":"mbed_tls","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2025","cve_id":"27810","cve":"CVE-2025-27810","epss":"0.001840000","percentile":"0.400080000","score_date":"2026-06-11","updated_at":"2026-06-12 00:07:15"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2025-27810","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2025-03-25T14:36:57.836676Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2025-03-25T14:37:14.294Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"mbedtls","vendor":"Mbed","versions":[{"lessThan":"2.28.10","status":"affected","version":"0","versionType":"semver"},{"lessThan":"3.6.3","status":"affected","version":"3.0.0","versionType":"semver"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:a:mbed:mbedtls:*:*:*:*:*:*:*:*","versionEndExcluding":"2.28.10","vulnerable":true},{"criteria":"cpe:2.3:a:mbed:mbedtls:*:*:*:*:*:*:*:*","versionEndExcluding":"3.6.3","versionStartIncluding":"3.0.0","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"Mbed TLS before 2.28.10 and 3.x before 3.6.3, in some cases of failed memory allocation or hardware errors, uses uninitialized stack memory to compose the TLS Finished message, potentially leading to authentication bypasses such as replays."}],"metrics":[{"cvssV3_1":{"baseScore":5.4,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-908","description":"CWE-908 Use of Uninitialized Resource","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2025-03-25T05:46:03.559Z","orgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","shortName":"mitre"},"references":[{"url":"https://github.com/Mbed-TLS/mbedtls/releases"},{"url":"https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-2/"}],"x_generator":{"engine":"enrichogram 0.0.1"}}},"cveMetadata":{"assignerOrgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","assignerShortName":"mitre","cveId":"CVE-2025-27810","datePublished":"2025-03-25T00:00:00.000Z","dateReserved":"2025-03-07T00:00:00.000Z","dateUpdated":"2025-03-25T14:37:14.294Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"},"nvd":{"publishedDate":"2025-03-25 06:15:41","lastModifiedDate":"2026-06-05 19:38:32","problem_types":["CWE-908","CWE-908 CWE-908 Use of Uninitialized Resource"],"metrics":{"cvssMetricV31":[{"source":"cve@mitre.org","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":2.7},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N","baseScore":4.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":2.5}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:*","versionEndExcluding":"2.28.10","matchCriteriaId":"DD0A913D-2765-4EE6-8C44-59214EFCAD03"},{"vulnerable":true,"criteria":"cpe:2.3:a:trustedfirmware:mbed_tls:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0.0","versionEndExcluding":"3.6.3","matchCriteriaId":"B8253337-97A1-4B7E-A0D4-31AFBA7A20F6"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2025","CveId":"27810","Ordinal":"1","Title":"CVE-2025-27810","CVE":"CVE-2025-27810","Year":"2025"},"notes":[{"CveYear":"2025","CveId":"27810","Ordinal":"1","NoteData":"Mbed TLS before 2.28.10 and 3.x before 3.6.3, in some cases of failed memory allocation or hardware errors, uses uninitialized stack memory to compose the TLS Finished message, potentially leading to authentication bypasses such as replays.","Type":"Description","Title":"CVE-2025-27810"}]}}}