What is CVE-2026-34877?

CVE-2026-34877 is a critical-severity vulnerability in Arm Mbed_tls, classified under CWE-250. CVSS score: 9.8/10. Published 2026-04-02.

How severe is CVE-2026-34877?

Critical severity. CVSS v3 base score is 9.8 out of 10.

Deserialization in Arm Mbed_tls

CVE-2026-34877

An issue was discovered in Mbed TLS versions from 2.19.0 up to 3.6.5, Mbed TLS 4.0.0. Insufficient protection of serialized SSL context or session structures allows an attacker who can modify the serialized structures to induce memory corr…

EPSS: 0.002 (44.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Arm Mbed_tls
Trustedfirmware Mbed_tls — versions 4.0.0
N/a — versions n/a

Weakness classification (CWE)

CWE-250
CWE-502 — Deserialization of Untrusted Data

References

cve@mitre.org (Vendor Advisory)
cve@mitre.org (Vendor Advisory)

Frequently asked questions

What is CVE-2026-34877?: CVE-2026-34877 is a critical-severity vulnerability in Arm Mbed_tls, classified under CWE-250. CVSS score: 9.8/10. Published 2026-04-02.
How severe is CVE-2026-34877?: Critical severity. CVSS v3 base score is 9.8 out of 10.