CVE-2024-45157
Publication date 5 September 2024
Last updated 9 October 2025
Ubuntu priority
Description
An issue was discovered in Mbed TLS before 2.28.9 and 3.x before 3.6.1, in which the user-selected algorithm is not used. Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled.
Read the notes from the security team
Why is this CVE negligible priority?
issue in documentation and not in behavior
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| mbedtls | 25.10 questing |
Not affected
|
| 24.04 LTS noble |
Vulnerable
|
|
| 22.04 LTS jammy |
Vulnerable
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
Notes
hlibk
Affects versions since 2.26.0 until 2.28.9 and 3.6.1. Upstream developers have decided to accept the behavior and instead opted for fixing the documentation. As the fix only addresses the documentation, the priority has been lowered. The CVE description contains the relevant information to consider.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
5.1 · Medium
|
| Attack vector | Local |
| Attack complexity | High |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |