Double Free Affecting mbedtls package, versions <2.16.12-r0
Threat Intelligence
EPSS
0.41% (75th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-ALPINE320-MBEDTLS-7010189
- published 23 May 2024
- disclosed 20 Dec 2021
Introduced: 20 Dec 2021
CVE-2021-44732 Open this link in a new tabHow to fix?
Upgrade Alpine:3.20 mbedtls to version 2.16.12-r0 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream mbedtls package and not the mbedtls package as distributed by Alpine.
See How to fix? for Alpine:3.20 relevant fixed versions and status.
Mbed TLS before 3.0.1 has a double free in certain out-of-memory conditions, as demonstrated by an mbedtls_ssl_set_session() failure.
References
- https://bugs.gentoo.org/829660
- https://github.com/ARMmbed/mbedtls/releases
- https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.12
- https://github.com/ARMmbed/mbedtls/releases/tag/v2.28.0
- https://github.com/ARMmbed/mbedtls/releases/tag/v3.1.0
- https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html
- https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-12
CVSS Scores
version 3.1