Vulnerability DatabaseCVE-2021-45450

CVE-2021-45450:
Mbed TLS vulnerability analysis and mitigation

Overview

CVE-2021-45450 affects Mbed TLS versions before 2.28.0 and 3.x before 3.1.0. The vulnerability involves the functions psaciphergenerateiv and psacipher_encrypt, which allow policy bypass or oracle-based decryption when the output buffer is at memory locations accessible to an untrusted application (NVD, Debian Tracker).

Technical details

The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The issue specifically relates to the cryptographic implementation in the PSA (Platform Security Architecture) cipher functions, where the output buffer's location could be exploited (NVD).

Impact

The vulnerability could allow an attacker to bypass security policies or perform oracle-based decryption of data when the output buffer is accessible to untrusted applications. This primarily affects the confidentiality of the system, as indicated by the CVSS score showing high impact on confidentiality but no impact on integrity or availability (NVD).

Mitigation and workarounds

The vulnerability has been fixed in Mbed TLS versions 2.28.0 and 3.1.0. Users are advised to upgrade to these or later versions. For Fedora users, updates are available for both Fedora 36 and 37 with version 2.28.1-1. Gentoo users should upgrade to version 2.28.1 or later (Fedora Update, Gentoo Advisory).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a Wiz customer? See which CVEs are exploitable in your environment.

Get a CVE Assessment

7.5

Score

Published December 21, 2021

Severity HIGH

CNA Score N/A

Affected Technologies

Mbed TLS
Linux Gentoo

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 22

Exploitation Probability (EPSS) 0.1

Affected packages and libraries

net-libs/mbedtls
cpe:2.3:a:arm:mbed_tls

Sources

Gentoo Advisory Database
- Gentoo Severity MEDIUMHas FixAdded at: Jan 11, 2023
Ubuntu Security Tracker
- Ubuntu 16.04, 18.04, 20.04 Severity MEDIUMNo FixAdded at: Oct 11, 2025
NVD
- Linux Severity HIGHHas FixAdded at: Jan 05, 2022

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related Mbed TLS vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-47917	CRITICAL	9.8	Mbed TLS	mbedtls	No	Yes	Jul 20, 2025
CVE-2025-48965	HIGH	7.5	Mbed TLS	mbedtls	No	Yes	Jul 20, 2025
CVE-2025-54764	MEDIUM	6.2	Mbed TLS	mbedtls	No	Yes	Oct 20, 2025
CVE-2025-59438	MEDIUM	5.3	Mbed TLS	mbedtls-devel	No	Yes	Oct 21, 2025
CVE-2025-49087	LOW	3.7	Mbed TLS	mbedtls	No	Yes	Jul 20, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2021-45450: Mbed TLS vulnerability analysis and mitigation