Home / mailingsPDF  

[USN-8123-1] Mbed TLS vulnerabilities

Posted on 25 March 2026
Ubuntu Security

==========================================================================Ubuntu Security Notice USN-8123-1
March 25, 2026

mbedtls vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in mbedtls.

Software Description:
- mbedtls: Lightweight crypto and SSL/TLS library

Details:

It was discovered that Mbed TLS incorrectly handled memory allocation
failures. A remote attacker could possibly use this issue to crash
the program. This issue only affected Ubuntu 18.04 LTS and Ubuntu
20.04 LTS. (CVE-2021-44732)

Jonathan Winzig discovered that Mbed TLS incorrectly handled crafted
inputs. A remote attacker could possibly use this issue to crash the
program, resulting in a denial of service. This issue only affected
Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS. (CVE-2024-23775)

It was discovered that Mbed TLS incorrectly handled the TLS
handshake. A remote attacker could possibly use this issue to
break the security guarantees of the TLS handshake.
(CVE-2025-27810)

Linh Le and Ngan Nguyen discovered that Mbed TLS incorrectly
documented the behavior of a function. Application code relying
on the documented behavior might be affected. A remote attacker
could possibly use this issue to execute arbitrary code.
(CVE-2025-47917)

Linh Le and Ngan Nguyen discovered that Mbed TLS incorrectly handled
crafted input. A remote attacker could possibly use this issue to
crash the program, resulting in a denial of service. (CVE-2025-48965)

It was discovered that Mbed TLS incorrectly handled a race condition.
An attacker could possibly use this issue to extract AES keys.
(CVE-2025-52496)

Linh Le and Ngan Nguyen discovered that Mbed TLS incorrectly handled
certain invalid input. A remote attacker could possibly use this
issue to crash the program, resulting in a denial of service.
(CVE-2025-52497)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
libmbedcrypto7t64 2.28.8-1ubuntu0.1~esm1
Available with Ubuntu Pro
libmbedtls-dev 2.28.8-1ubuntu0.1~esm1
Available with Ubuntu Pro
libmbedtls14t64 2.28.8-1ubuntu0.1~esm1
Available with Ubuntu Pro
libmbedx509-1t64 2.28.8-1ubuntu0.1~esm1
Available with Ubuntu Pro

Ubuntu 22.04 LTS
libmbedcrypto7 2.28.0-1ubuntu0.1~esm1
Available with Ubuntu Pro
libmbedtls-dev 2.28.0-1ubuntu0.1~esm1
Available with Ubuntu Pro
libmbedtls14 2.28.0-1ubuntu0.1~esm1
Available with Ubuntu Pro
libmbedx509-1 2.28.0-1ubuntu0.1~esm1
Available with Ubuntu Pro

Ubuntu 20.04 LTS
libmbedcrypto3 2.16.4-1ubuntu2+esm1
Available with Ubuntu Pro
libmbedtls-dev 2.16.4-1ubuntu2+esm1
Available with Ubuntu Pro
libmbedtls12 2.16.4-1ubuntu2+esm1
Available with Ubuntu Pro
libmbedx509-0 2.16.4-1ubuntu2+esm1
Available with Ubuntu Pro

Ubuntu 18.04 LTS
libmbedcrypto1 2.8.0-1ubuntu0.1~esm1
Available with Ubuntu Pro
libmbedtls-dev 2.8.0-1ubuntu0.1~esm1
Available with Ubuntu Pro
libmbedtls10 2.8.0-1ubuntu0.1~esm1
Available with Ubuntu Pro
libmbedx509-0 2.8.0-1ubuntu0.1~esm1
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8123-1
CVE-2021-44732, CVE-2024-23775, CVE-2025-27810, CVE-2025-47917,
CVE-2025-48965, CVE-2025-52496, CVE-2025-52497

--===============2488718644434663836==Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature

 

TOP

Mailings :

Exploits :