CVE-2021-43666

CVSS 7.5 HIGHEPSS 2.1%CWE-130

In short

A flaw in mbed TLS allows an attacker to crash the system by providing an empty password to the password derivation function. This can interrupt services that rely on this library for encryption operations.

Technical detail

A null pointer dereference or buffer handling error in mbedtls_pkcs12_derivation occurs when processing zero-length password inputs, enabling an unauthenticated attacker to trigger a denial of service condition. The vulnerability affects mbed TLS versions 3.0.0 and earlier; exploitation requires invoking the vulnerable function with a crafted empty password parameter.

Summary generated and translated by AI from the official description.

A Denial of Service vulnerability exists in mbed TLS 3.0.0 and earlier in the mbedtls_pkcs12_derivation function when an input password's length is 0.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/ARMmbed/mbedtls/issues/5136 https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html https://lists.debian.org/debian-lts-announce/2025/06/msg00034.html