https://mbed-tls.readthedocs.io/en/latest/security-advisories/ reports:
- Client impersonation while resuming a TLS 1.3 session (CVE-2026-34873)
- Entropy on Linux can fall back to /dev/urandom (CVE-2026-34871)
- PSA random generator cloning (CVE-2026-25835)
- Compiler-induced constant-time violations (CVE-2025-66442)
- Null pointer dereference when setting a distinguished name (CVE-2026-34874)
- Buffer overflow in FFDH public key export (CVE-2026-34875)
- FFDH: lack of contributory behaviour due to improper input validation (CVE-2026-34872)
- Signature Algorithm Injection (CVE-2026-25834)
- CCM multipart finish tag-length validation bypass (CVE-2026-34876)
- Risk of insufficient protection of serialized session or context data leading to potential memory safety issues (CVE-2026-34877)
- Buffer underflow in x509_inet_pton_ipv6() (CVE-2026-25833)