Issue
Serialized SSL context and session structures produced by the Mbed TLS serialization APIs are not sufficiently protected against tampering. An attacker who can modify a serialized structure before it is loaded back into the library can induce memory corruption when the deserialized data is used, leading to arbitrary code execution. Affects Mbed TLS versions from 2.19.0 through 3.6.5, and Mbed TLS 4.0.0.
https://nvd.nist.gov/vuln/detail/CVE-2026-34877
Workaround
Update to mbedTLS v3.6.6, TF-PSA-Crypto 1.1.0, or a newer version of either.
FSP v6.5.0 (scheduled for 2026/05/27) includes mbedTLS v3.6.6.
Applications that store or transmit serialized session/context data should treat it as security-sensitive and protect its integrity (e.g. with authenticated encryption) before persisting or sending it across an untrusted boundary.
Issue
Serialized SSL context and session structures produced by the Mbed TLS serialization APIs are not sufficiently protected against tampering. An attacker who can modify a serialized structure before it is loaded back into the library can induce memory corruption when the deserialized data is used, leading to arbitrary code execution. Affects Mbed TLS versions from 2.19.0 through 3.6.5, and Mbed TLS 4.0.0.
https://nvd.nist.gov/vuln/detail/CVE-2026-34877
Workaround
Update to mbedTLS v3.6.6, TF-PSA-Crypto 1.1.0, or a newer version of either.
FSP v6.5.0 (scheduled for 2026/05/27) includes mbedTLS v3.6.6.
Applications that store or transmit serialized session/context data should treat it as security-sensitive and protect its integrity (e.g. with authenticated encryption) before persisting or sending it across an untrusted boundary.