CVE-2021-44732 — CRITICAL (9.8)

Q: What is CVE-2021-44732?

CVE-2021-44732 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Mbed TLS before 3.0.1 has a double free in certain out-of-memory conditions, as demonstrated by an mbedtls_ssl_set_session() failure.

Q: How severe is CVE-2021-44732?

CVE-2021-44732 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2021-44732?

Check the references section above for vendor advisories and patch information. Affected products include: Arm Mbed Tls, Debian Debian Linux.

Vulnerability Description

Mbed TLS before 3.0.1 has a double free in certain out-of-memory conditions, as demonstrated by an mbedtls_ssl_set_session() failure.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Arm	Mbed Tls	< 2.16.12
Debian	Debian Linux	10.0

Related Weaknesses (CWE)

CWE-415

References

https://bugs.gentoo.org/829660Issue TrackingMailing ListThird Party Advisory
https://github.com/ARMmbed/mbedtls/releasesRelease Notes
https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.12Release Notes
https://github.com/ARMmbed/mbedtls/releases/tag/v2.28.0Release Notes
https://github.com/ARMmbed/mbedtls/releases/tag/v3.1.0Release Notes
https://lists.debian.org/debian-lts-announce/2022/12/msg00036.htmlMailing ListThird Party Advisory
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-ExploitMitigationThird Party Advisory
https://bugs.gentoo.org/829660Issue TrackingMailing ListThird Party Advisory
https://github.com/ARMmbed/mbedtls/releasesRelease Notes
https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.12Release Notes
https://github.com/ARMmbed/mbedtls/releases/tag/v2.28.0Release Notes
https://github.com/ARMmbed/mbedtls/releases/tag/v3.1.0Release Notes
https://lists.debian.org/debian-lts-announce/2022/12/msg00036.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2025/06/msg00034.html
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-ExploitMitigationThird Party Advisory

FAQ

What is CVE-2021-44732?

CVE-2021-44732 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Mbed TLS before 3.0.1 has a double free in certain out-of-memory conditions, as demonstrated by an mbedtls_ssl_set_session() failure.

How severe is CVE-2021-44732?

CVE-2021-44732 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2021-44732?

Check the references section above for vendor advisories and patch information. Affected products include: Arm Mbed Tls, Debian Debian Linux.