CVE-2024-28960
Publication date 29 March 2024
Last updated 9 October 2025
Ubuntu priority
Description
An issue was discovered in Mbed TLS 2.18.0 through 2.28.x before 2.28.8 and 3.x before 3.6.0, and Mbed Crypto. The PSA Crypto API mishandles shared memory.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| mbedtls | 25.10 questing |
Not affected
|
| 24.04 LTS noble |
Vulnerable
|
|
| 22.04 LTS jammy |
Vulnerable
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
Notes
hlibk
Affects versions from 2.18.0 until 2.28.8 and 3.6.0. The fix for this issue introduced a regression (GitHub issue 3266) which is yet to be resolved.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
8.2 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |
References
Other references
- https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-03/
- https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2024-03.md
- https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories/
- https://www.cve.org/CVERecord?id=CVE-2024-28960
- https://github.com/Mbed-TLS/mbedtls/issues/3266