What is CVE-2025-27810?

CVE-2025-27810 is a medium-severity vulnerability in Arm Mbed_tls, classified under Use of Uninitialized Resource. CVSS score: 5.4/10. Published 2025-03-25.

How severe is CVE-2025-27810?

Medium severity. CVSS v3 base score is 5.4 out of 10.

Vulnerability in Arm Mbed_tls

CVE-2025-27810

Mbed TLS before 2.28.10 and 3.x before 3.6.3, in some cases of failed memory allocation or hardware errors, uses uninitialized stack memory to compose the TLS Finished message, potentially leading to authentication bypasses such as replays.

EPSS: 0.002 (39.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.4 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N.

Affected products

Arm Mbed_tls
Mbed Mbedtls — versions 0, 3.0.0
Trustedfirmware Mbed_tls

Weakness classification (CWE)

CWE-908 — Use of Uninitialized Resource

References

cve@mitre.org (Release Notes)
cve@mitre.org (Vendor Advisory)

Frequently asked questions

What is CVE-2025-27810?: CVE-2025-27810 is a medium-severity vulnerability in Arm Mbed_tls, classified under Use of Uninitialized Resource. CVSS score: 5.4/10. Published 2025-03-25.
How severe is CVE-2025-27810?: Medium severity. CVSS v3 base score is 5.4 out of 10.