Mbed TLS before 3.6.4 has a race condition in AESNI detection if certain compiler optimizations occur. An attacker may be able to extract an AES key from a multithreaded program, or perform a GCM forgery.
The developer builds a security-critical protection mechanism into the software, but the compiler optimizes the program such that the mechanism is removed or modified.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Mbed_tls | Arm | * | 3.6.4 (excluding) |
| Mbedtls | Ubuntu | devel | * |
| Mbedtls | Ubuntu | esm-apps/bionic | * |
| Mbedtls | Ubuntu | esm-apps/focal | * |
| Mbedtls | Ubuntu | esm-apps/jammy | * |
| Mbedtls | Ubuntu | esm-apps/noble | * |
| Mbedtls | Ubuntu | esm-apps/xenial | * |
| Mbedtls | Ubuntu | jammy | * |
| Mbedtls | Ubuntu | noble | * |
| Mbedtls | Ubuntu | oracular | * |
| Mbedtls | Ubuntu | plucky | * |
| Mbedtls | Ubuntu | questing | * |
| Mbedtls | Ubuntu | upstream | * |