{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/crypto/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-32283"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","tls","crypto/tls"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-32283 describes a vulnerability within the crypto/tls component related to the processing of TLS 1.3 KeyUpdate records. The core issue stems from the lack of proper authentication for these KeyUpdate records. An attacker exploiting this flaw can send unauthenticated KeyUpdate records to a vulnerable server. The server, upon processing these records, may retain connections persistently or enter a denial-of-service (DoS) state due to resource exhaustion. This vulnerability poses a significant risk to systems relying on TLS 1.3 for secure communication. While the specific vulnerable products are not detailed in the source, the report does mention Microsoft as the affected vendor. Defenders must identify and patch the vulnerable crypto/tls implementations to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker establishes a TLS 1.3 connection with a vulnerable server.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious TLS 1.3 KeyUpdate record without proper authentication.\u003c/li\u003e\n\u003cli\u003eAttacker sends the unauthenticated KeyUpdate record to the target server over the established TLS connection.\u003c/li\u003e\n\u003cli\u003eThe vulnerable crypto/tls implementation on the server processes the malformed KeyUpdate record.\u003c/li\u003e\n\u003cli\u003eDue to the lack of proper validation, the server\u0026rsquo;s connection state becomes inconsistent.\u003c/li\u003e\n\u003cli\u003eThe server retains the connection persistently due to the invalid state.\u003c/li\u003e\n\u003cli\u003eAttacker repeats steps 2-6 to exhaust server resources with numerous persistent connections.\u003c/li\u003e\n\u003cli\u003eThe server enters a denial-of-service (DoS) condition, becoming unresponsive to legitimate requests.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-32283 can lead to a denial-of-service condition, rendering affected servers unavailable. The number of affected victims will vary based on the deployment of vulnerable crypto/tls implementations. Services relying on TLS 1.3 for secure communication are at risk. If the attack succeeds, legitimate users will be unable to access the affected services, potentially causing significant disruption and financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eIdentify all systems using the crypto/tls component from Microsoft to determine if they are vulnerable to CVE-2026-32283.\u003c/li\u003e\n\u003cli\u003eApply the security updates released by Microsoft to patch CVE-2026-32283 on all affected systems as soon as they are available, according to the Microsoft Security Update Guide.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious TLS KeyUpdate records, focusing on malformed or unauthenticated packets using a network intrusion detection system (NIDS).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T08:43:55Z","date_published":"2026-04-30T08:43:55Z","id":"/briefs/2026-04-tls-keyupdate-dos/","summary":"CVE-2026-32283 is a vulnerability in crypto/tls that allows unauthenticated TLS 1.3 KeyUpdate records, leading to persistent connection retention and a denial-of-service condition.","title":"CVE-2026-32283 Unauthenticated TLS 1.3 KeyUpdate DoS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-tls-keyupdate-dos/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-34875"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["buffer-overflow","mbedtls","crypto","cve-2026-34875"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical buffer overflow vulnerability has been identified in Mbed TLS, a widely used open-source cryptographic library. Specifically, CVE-2026-34875 affects Mbed TLS versions up to 3.6.5 and TF-PSA-Crypto 1.0.0. The vulnerability is triggered during the export of public keys associated with Finite Field Diffie-Hellman (FFDH) algorithms. This flaw can be exploited by an attacker to overwrite memory buffers, potentially leading to arbitrary code execution or a denial-of-service condition. Given the prevalence of Mbed TLS in embedded systems and other security-sensitive applications, this vulnerability poses a significant risk to a wide range of devices and services. Defenders should prioritize patching and mitigation efforts to prevent potential exploitation. The vulnerability was published on 2026-04-01.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a system using a vulnerable version of Mbed TLS (\u0026lt;= 3.6.5) or TF-PSA-Crypto (1.0.0).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious request that triggers the FFDH public key export function.\u003c/li\u003e\n\u003cli\u003eThe vulnerable function fails to properly validate the size of the buffer used to store the exported public key.\u003c/li\u003e\n\u003cli\u003eThe application attempts to copy the public key data into the undersized buffer.\u003c/li\u003e\n\u003cli\u003eA buffer overflow occurs, overwriting adjacent memory regions.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of program execution by overwriting critical data structures or function pointers.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code on the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as gaining unauthorized access, stealing sensitive data, or causing a denial-of-service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-34875 can lead to a variety of severe consequences. The most critical outcome is arbitrary code execution, allowing attackers to gain complete control over the affected system. This could result in the theft of sensitive data, installation of malware, or disruption of critical services. Even without achieving code execution, the buffer overflow can cause a denial-of-service condition, rendering the system unusable. The wide adoption of Mbed TLS means that this vulnerability has the potential to impact numerous devices and applications across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Mbed TLS to a patched version (later than 3.6.5) or TF-PSA-Crypto to a version that includes the fix for CVE-2026-34875.\u003c/li\u003e\n\u003cli\u003eApply input validation to any data that is used in the FFDH public key export functionality as a short-term workaround.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect_MbedTLS_FFDH_Public_Key_Export\u003c/code\u003e to identify potential exploitation attempts by monitoring process memory writes in Mbed TLS processes.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for anomalies in requests related to TLS key exchange, in combination with MbedTLS to catch abnormal activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T18:16:31Z","date_published":"2026-04-01T18:16:31Z","id":"/briefs/2026-04-mbedtls-overflow/","summary":"A buffer overflow vulnerability (CVE-2026-34875) exists in Mbed TLS through 3.6.5 and TF-PSA-Crypto 1.0.0 during public key export for FFDH keys, potentially leading to code execution or denial of service.","title":"Mbed TLS FFDH Public Key Export Buffer Overflow","url":"https://feed.craftedsignal.io/briefs/2026-04-mbedtls-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — Crypto","version":"https://jsonfeed.org/version/1.1"}