MitreCVELIST:CVE-2020-36476

HistoryAug 23, 2021 - 12:00 a.m.

CVE-2020-36476

2021-08-2300:00:00

mitre

www.cve.org

mbed tls

missing zeroization

plaintext buffers

mbedtls_ssl_read

application data

memory

AI Score

7.4

Confidence

High

EPSS

0.003

Percentile

68.4%

JSON

An issue was discovered in Mbed TLS before 2.24.0 (and before 2.16.8 LTS and before 2.7.17 LTS). There is missing zeroization of plaintext buffers in mbedtls_ssl_read to erase unused application data from memory.

References

github.com/ARMmbed/mbedtls/releases/tag/v2.16.8

github.com/ARMmbed/mbedtls/releases/tag/v2.24.0

github.com/ARMmbed/mbedtls/releases/tag/v2.7.17

lists.debian.org/debian-lts-announce/2021/11/msg00021.html

lists.debian.org/debian-lts-announce/2022/12/msg00036.html