First published: Mon Dec 20 2021(Updated: )
Mbed TLS before 3.0.1 has a double free in certain out-of-memory conditions, as demonstrated by an mbedtls_ssl_set_session() failure.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
ARM mbed TLS | <2.16.12 | |
ARM mbed TLS | >=2.17.0<2.28.0 | |
ARM mbed TLS | =3.0.0 | |
ARM mbed TLS | =3.0.0-preview1 | |
Debian Debian Linux | =10.0 | |
<2.16.12 | ||
>=2.17.0<2.28.0 | ||
=3.0.0 | ||
=3.0.0-preview1 | ||
=10.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2021-44732.
The severity of CVE-2021-44732 is critical, with a severity value of 9.8.
ARM mbed TLS versions up to 2.16.12, versions from 2.17.0 to 2.28.0, ARM mbed TLS version 3.0.0, ARM mbed TLS version 3.0.0-preview1, and Debian Debian Linux version 10.0 are affected by CVE-2021-44732.
CVE-2021-44732 can lead to a double free vulnerability in certain out-of-memory conditions, which can be exploited by an attacker to potentially execute arbitrary code or cause a denial of service.
To fix CVE-2021-44732, update to Mbed TLS version 3.0.1 or later, or the patched version provided by your software vendor.