CVE-2024-23775 is an integer overflow vulnerability identified in the widely used cryptographic library Mbed TLS, specifically affecting versions 2.x prior to 2.28.7 and 3.x prior to 3.5.2. The flaw resides in the mbedtls_x509_set_extension() function, which handles setting X.509 certificate extensions. An integer overflow occurs when processing certain inputs, leading to memory corruption that can cause the application to crash, resulting in a denial of service (DoS). This vulnerability can be triggered remotely over the network without requiring any authentication or user interaction, making it highly accessible to attackers. The CVSS v3.1 base score is 7.5, reflecting high severity due to the ease of exploitation (network vector, low attack complexity) and the impact on availability, though confidentiality and integrity are not affected. No known exploits have been reported in the wild as of the publication date. Mbed TLS is commonly embedded in IoT devices, network appliances, and various software requiring TLS/SSL cryptographic functions, meaning a broad range of products could be impacted. The vulnerability highlights the risks of integer overflow errors in security-critical code, emphasizing the importance of input validation and secure coding practices. Vendors and users are advised to upgrade to the patched versions 2.28.7 or 3.5.2 to remediate this issue.

The primary impact of CVE-2024-23775 is denial of service, which can disrupt availability of services relying on Mbed TLS for cryptographic operations. For European organizations, this could affect critical infrastructure, telecommunications, industrial control systems, and IoT deployments that embed Mbed TLS. Service outages could lead to operational downtime, loss of productivity, and potential cascading effects in interconnected systems. Although confidentiality and integrity are not directly compromised, the inability to maintain service availability can undermine trust and compliance with regulations such as GDPR if service disruptions affect customer-facing applications or data processing. The network-exploitable nature means attackers can remotely trigger the vulnerability without prior access, increasing risk. Organizations with large deployments of embedded devices or network equipment using vulnerable Mbed TLS versions are particularly at risk. The absence of known exploits currently provides a window for proactive patching to prevent incidents.

1. Immediately identify all systems and devices using Mbed TLS versions prior to 2.28.7 or 3.5.2 within the organization’s environment, including embedded and IoT devices. 2. Apply vendor-supplied patches or upgrade Mbed TLS libraries to version 2.28.7 or 3.5.2 or later as soon as possible. 3. For devices or software where patching is not immediately feasible, implement network-level mitigations such as firewall rules or intrusion prevention systems to block or monitor suspicious traffic targeting TLS certificate extension handling. 4. Conduct thorough testing of updated systems to ensure stability and compatibility post-patch. 5. Review and enhance input validation and error handling in custom applications interfacing with Mbed TLS to reduce risk of similar vulnerabilities. 6. Maintain an inventory of cryptographic libraries and their versions across all assets to facilitate rapid response to future vulnerabilities. 7. Monitor threat intelligence feeds for any emerging exploits targeting this vulnerability to adjust defenses accordingly.