Issue
A NULL pointer dereference exists in distinguished name parsing that allows an attacker to write to address 0. Triggerable through mbedtls_x509_string_to_names() and the related functions
- mbedtls_x509write_crt_set_subject_name(),
- mbedtls_x509write_crt_set_issuer_name(),
- mbedtls_x509write_csr_set_subject_name(), and
- mbedtls_x509write_csr_set_issuer_name()
when given crafted input strings, this can result in a crash or, on systems where address 0 is mapped, in memory corruption. Affects Mbed TLS through 3.6.5 and 4.x through 4.0.0.
https://nvd.nist.gov/vuln/detail/CVE-2026-34874
Workaround
Update to mbedTLS v3.6.6, TF-PSA-Crypto 1.1.0, or a newer version of either.
FSP v6.5.0 (scheduled for 2026/05/27) includes mbedTLS v3.6.6.
Issue
A NULL pointer dereference exists in distinguished name parsing that allows an attacker to write to address 0. Triggerable through mbedtls_x509_string_to_names() and the related functions
when given crafted input strings, this can result in a crash or, on systems where address 0 is mapped, in memory corruption. Affects Mbed TLS through 3.6.5 and 4.x through 4.0.0.
https://nvd.nist.gov/vuln/detail/CVE-2026-34874
Workaround
Update to mbedTLS v3.6.6, TF-PSA-Crypto 1.1.0, or a newer version of either.
FSP v6.5.0 (scheduled for 2026/05/27) includes mbedTLS v3.6.6.