CVE-2015-8036

Severity CVSS v4.0:
Pending analysis
Type:
CWE-119 Buffer Errors
Publication date:
02/11/2015
Last modified:
12/04/2025

Description

Heap-based buffer overflow in ARM mbed TLS (formerly PolarSSL) 1.3.x before 1.3.14 and 2.x before 2.1.2 allows remote SSL servers to cause a denial of service (client crash) and possibly execute arbitrary code via a long session ticket name to the session ticket extension, which is not properly handled when creating a ClientHello message to resume a session. NOTE: this identifier was SPLIT from CVE-2015-5291 per ADT3 due to different affected version ranges.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:* 1.3.0 (including) 1.3.14 (excluding)
cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:* 2.0.0 (including) 2.1.2 (excluding)
cpe:2.3:a:polarssl:polarssl:*:*:*:*:*:*:*:* 1.2.17 (including)
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*