CVE-2026-25834 - Vulnerability Details

Mbed TLS v3.3.0 up to 3.6.5 and 4.0.0 allows Algorithm Downgrade.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Mbed-tls	Mbedtls

No data.

References

Link	Providers
https://mbed-tls.readthedocs.io/en/latest/security-advisories/
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-sigalg-injection/
https://nvd.nist.gov/vuln/detail/CVE-2026-25834
https://www.cve.org/CVERecord?id=CVE-2026-25834

History

Fri, 03 Apr 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mbed-tls Mbed-tls mbedtls
Vendors & Products		Mbed-tls Mbed-tls mbedtls

Thu, 02 Apr 2026 12:15:00 +0000

Type	Values Removed	Values Added
Title		mbedtls: Mbed TLS: Algorithm downgrade vulnerability
Weaknesses		CWE-358
References		https://nvd.nist.gov/vuln/detail/CVE-2026-25834 https://www.cve.org/CVERecord?id=CVE-2026-25834
Metrics	threat_severity `None`	threat_severity `Moderate`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description		Mbed TLS v3.3.0 up to 3.6.5 and 4.0.0 allows Algorithm Downgrade.
Weaknesses		CWE-295 CWE-327
References		https://mbed-tls.readthedocs.io/en/latest/security-advisories/ https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-sigalg-injection/
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-04-01T00:00:00.000Z

Updated: 2026-04-01T18:54:32.185Z

Reserved: 2026-02-06T00:00:00.000Z

Link: CVE-2026-25834

Vulnrichment

Updated: 2026-04-01T18:53:07.443Z

NVD

Status : Awaiting Analysis

Published: 2026-04-01T18:16:28.127

Modified: 2026-04-03T16:10:52.680

Link: CVE-2026-25834

Redhat

Severity : Moderate

Publid Date: 2026-04-01T00:00:00Z

Links: CVE-2026-25834 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object