CVE-2025-27809

Publication date 25 March 2025

Last updated 8 October 2025

Ubuntu priority

Cvss 3 Severity Score

Description

Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted certificates for arbitrary hostnames unless the TLS client application calls mbedtls_ssl_set_hostname.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
mbedtls	25.10 questing	Vulnerable
	25.04 plucky	Vulnerable
	24.10 oracular	Ignored end of life, was needs-triage
	24.04 LTS noble	Vulnerable
	22.04 LTS jammy	Vulnerable
	20.04 LTS focal	Vulnerable
	18.04 LTS bionic	Vulnerable
	16.04 LTS xenial	Vulnerable

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
mbedtls	Upstream: e61852e Upstream: 6b88594 Upstream: 0178dc9 Upstream: 7656ad7 Upstream: 2c33c75 Upstream: 1f6864b Upstream: 3a2f75d Upstream: f33c45f Upstream: 63f958d Upstream: ae59c52 Upstream: 551756d Upstream: 18b52ce

Severity score breakdown

Parameter	Value
Base score	5.4 · Medium
Attack vector	Network
Attack complexity	High
Privileges required	None
User interaction	None
Scope	Changed
Confidentiality	Low
Integrity impact	Low
Availability impact	None
Vector	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N