The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2024-45158

CVE-2024-45158: Arm Mbed TLS Buffer Overflow Vulnerability

CVE-2024-45158 is a stack buffer overflow flaw in Arm Mbed TLS 3.6 affecting ECDSA functions when processing oversized curve parameters. This article covers technical details, affected versions, impact, and mitigation.

Published: March 31, 2026

CVE-2024-45158 Overview

A critical stack buffer overflow vulnerability has been identified in Mbed TLS 3.6 before 3.6.1. The vulnerability exists in the mbedtls_ecdsa_der_to_raw() and mbedtls_ecdsa_raw_to_der() functions, which can be exploited when the bits parameter exceeds the largest supported curve. In certain configurations where PSA (Platform Security Architecture) is disabled, all values of the bits parameter are affected. While this vulnerability does not manifest in internal library calls, applications that directly invoke these functions are at risk.

Critical Impact

This stack buffer overflow vulnerability could allow remote attackers to execute arbitrary code, crash applications, or corrupt memory in systems using affected versions of Mbed TLS with direct function calls to the vulnerable ECDSA conversion routines.

Affected Products

  • Arm Mbed TLS 3.6.0
  • Applications using mbedtls_ecdsa_der_to_raw() directly
  • Applications using mbedtls_ecdsa_raw_to_der() directly

Discovery Timeline

  • 2024-09-05 - CVE CVE-2024-45158 published to NVD
  • 2025-05-16 - Last updated in NVD database

Technical Details for CVE-2024-45158

Vulnerability Analysis

This vulnerability is classified as CWE-121 (Stack-based Buffer Overflow), a memory corruption flaw that occurs when data written to a stack buffer exceeds its allocated size. The vulnerable functions mbedtls_ecdsa_der_to_raw() and mbedtls_ecdsa_raw_to_der() are responsible for converting ECDSA signatures between DER (Distinguished Encoding Rules) format and raw format. When an attacker provides a bits parameter larger than the maximum supported elliptic curve size, the functions fail to properly validate this input, leading to a buffer overflow condition on the stack.

The network-accessible nature of this vulnerability makes it particularly dangerous, as cryptographic operations using these functions could be triggered remotely through TLS handshakes or certificate processing operations in applications that directly call these APIs.

Root Cause

The root cause stems from insufficient input validation in the mbedtls_ecdsa_der_to_raw() and mbedtls_ecdsa_raw_to_der() functions. When processing the bits parameter, these functions do not adequately verify that the provided value falls within the bounds of supported elliptic curve sizes. This is exacerbated in configurations where PSA (Platform Security Architecture) is disabled, where all bits values become affected. The absence of proper boundary checks allows oversized data to overflow the fixed-size stack buffer allocated for signature conversion operations.

Attack Vector

The vulnerability is exploitable over the network without requiring authentication or user interaction. An attacker can craft malicious input that triggers calls to the vulnerable ECDSA conversion functions with an oversized bits parameter. In scenarios where applications directly expose these functions through network-accessible interfaces (such as custom TLS implementations or certificate processing services), remote exploitation becomes feasible. The attack complexity is low, requiring only the ability to supply malformed cryptographic data to the target application.

The vulnerable functions are used for signature format conversion, meaning any application that processes external ECDSA signatures and directly uses these Mbed TLS functions could be vulnerable. Successful exploitation could result in arbitrary code execution with the privileges of the affected application.

Detection Methods for CVE-2024-45158

Indicators of Compromise

  • Unexpected application crashes or segmentation faults in processes using Mbed TLS
  • Memory corruption errors or stack smashing detection alerts
  • Abnormal behavior in TLS handshake processing or certificate validation
  • Log entries indicating buffer overflow protections being triggered

Detection Strategies

  • Monitor applications using Mbed TLS for unexpected crashes or memory errors
  • Implement stack canary protection to detect overflow attempts
  • Review application code for direct calls to mbedtls_ecdsa_der_to_raw() or mbedtls_ecdsa_raw_to_der()
  • Deploy runtime application self-protection (RASP) solutions to detect memory corruption

Monitoring Recommendations

  • Enable AddressSanitizer (ASan) in development and testing environments to catch buffer overflows
  • Monitor system logs for stack-smashing protection alerts from applications using Mbed TLS
  • Implement anomaly detection for cryptographic operation failures
  • Review network traffic for malformed ECDSA signature payloads targeting TLS connections

How to Mitigate CVE-2024-45158

Immediate Actions Required

  • Upgrade Mbed TLS to version 3.6.1 or later immediately
  • Audit application code for direct usage of mbedtls_ecdsa_der_to_raw() and mbedtls_ecdsa_raw_to_der()
  • Enable PSA (Platform Security Architecture) if feasible, as this reduces the attack surface
  • Consider temporarily disabling or restricting access to applications making direct calls to vulnerable functions until patched

Patch Information

Arm has released Mbed TLS version 3.6.1 which addresses this stack buffer overflow vulnerability. The patch implements proper bounds checking for the bits parameter in both affected functions. Users should upgrade to version 3.6.1 or later as soon as possible. For detailed patch information, refer to the MbedTLS Security Advisory 2024-08-2 and the GitHub MbedTLS Releases page.

Workarounds

  • Avoid direct calls to mbedtls_ecdsa_der_to_raw() and mbedtls_ecdsa_raw_to_der() functions until patched
  • Enable PSA (Platform Security Architecture) in Mbed TLS configuration to limit vulnerability exposure
  • Implement application-level input validation to ensure bits parameter does not exceed maximum supported curve sizes
  • Deploy the application with stack protection mechanisms enabled (e.g., -fstack-protector-strong)
bash
# Upgrade Mbed TLS to patched version
# Clone the latest release and rebuild
git clone --branch v3.6.1 https://github.com/Mbed-TLS/mbedtls.git
cd mbedtls
mkdir build && cd build
cmake -DUSE_SHARED_MBEDTLS_LIBRARY=On ..
make
sudo make install

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeBuffer Overflow
  • Vendor/TechArm Mbed Tls
  • SeverityCRITICAL
  • CVSS Score9.8
  • EPSS Probability0.68%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-121
  • Technical References
  • GitHub MbedTLS Releases
  • Vendor Resources
  • Mbed TLS Security Advisories
  • MbedTLS Security Advisory 2024-08-2
  • Related CVEs
  • CVE-2025-52497: Arm Mbed TLS Buffer Overflow Vulnerability
  • CVE-2023-43615: Arm Mbed TLS Buffer Overflow Vulnerability
  • CVE-2025-52496: Arm Mbed TLS Race Condition Vulnerability
  • CVE-2025-48965: Arm Mbed TLS Use-After-Free Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English