Mbed TLS and TF-PSA-Crypto libraries are vulnerable to a critical buffer overflow during key export operations, which could allow attackers to execute arbitrary code.

A buffer overflow exists in the public key export function for Finite-Field Diffie-Hellman (FFDH) keys. This memory corruption flaw can be triggered during the processing of specific key data, potentially allowing for code execution.

With a CVSS score of 9.8, this vulnerability is critical. Since these libraries are often used in embedded systems and IoT devices, a successful exploit could lead to widespread device compromise, data interception, and loss of device integrity.

Immediate Action: Developers must update their applications to use Mbed TLS versions beyond 3.6.5 or the latest TF-PSA-Crypto patches that address the buffer overflow.

Proactive Monitoring: Monitor for application crashes in services that utilize Mbed TLS for encrypted communications, as these may indicate exploitation attempts.

Compensating Controls: Use compiler-level protections such as stack canaries and address space layout randomization (ASLR) to mitigate the impact of buffer overflow vulnerabilities.

Public Exploit Available: No

Immediate library updates are required for all software incorporating the affected Mbed TLS or TF-PSA-Crypto versions. Failure to patch may leave critical infrastructure and IoT devices vulnerable to remote exploitation.