## Vulnerability Key Information Summary ### Vulnerability Overview | Item | Content | |:---|:---| | **CVE ID** | CVE-2026-34874 | | **Title** | Null pointer dereference when setting a distinguished name | | **Discovery Date** | March 31, 2026 | | **Severity** | HIGH | | **Impact** | Arbitrary code execution | | **Reporter** | Hanato Kimura (Stella) | **Vulnerability Details**: An attacker can cause a memory allocation failure during the execution of `mbedtls_x509_string_to_names()`, resulting in a `memcpy()` call with a null pointer as the destination address. This function can also be called indirectly through the following functions: - `mbedtls_x509write_csr_set_subject_name()` - `mbedtls_x509write_crt_set_subject_name()` - `mbedtls_x509write_crt_set_issuer_name()` ### Affected Scope | Affected Versions | Unaffected Versions | |:---|:---| | Mbed TLS 3.5.0 to 3.6.5 | Mbed TLS 3.6.6 and later 3.6.x versions | | Mbed TLS 4.0.0 | Mbed TLS 4.1.0 and later 4.x versions | **Impact Notes**: - On platforms with memory protection: May cause a segmentation fault - On microcontrollers: May write data to the interrupt vector at address 0, thereby enabling arbitrary code execution ### Remediation Solutions #### 1. Temporary Mitigation Measures Ensure that Mbed TLS has sufficient memory when calling `mbedtls_x509_string_to_names()` so that `mbedtls_calloc()` does not fail. On systems with memory protection where address 0 is not writable, this vulnerability will result in a segmentation fault or memory protection error, causing only denial of service (DoS) rather than arbitrary code execution. #### 2. Official Fix **Upgrade to Mbed TLS 3.6.6 or 4.1.0** #### 3. Fix Commits (for maintenance branches) | Branch | Commit Hash | Notes | |:---|:---|:---| | Mbed TLS 3.6.x - Base fix | `bfaf4a76fd33da860796feab6235847acb71127` | TF: N/ | | Mbed TLS 3.6.x - With tests and documentation | `branch up to 4704b6bbfdb963f1331582374e88118a4ad8f522` | TF: N/ | > Note: The Mbed TLS development team only maintains official branches. These commits may not apply to older versions, and even if applicable, may not provide a complete fix.