CVE-2015-8036

Name: CVE-2015-8036
Creator: NVD / NIST
Published: 2015-11-02T19:59:16.267+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 2.88%

Last modified Jun 17, 2026

CVE-2015-8036 is a vulnerability of currently unknown severity. Heap-based buffer overflow in ARM mbed TLS (formerly PolarSSL) 1.3.x before 1.3.14 and 2.x before 2.1.2 allows remote SSL servers to cause a denial of service (client crash) and possibly execute arbitrary code via a long session ticket name to the session ticket extension, which is not properly handled when creating a ClientHello message to resume a session. NOTE: this identifier was SPLIT from CVE-2015-5291 per ADT3 due to different affected version ranges.. EPSS estimates a 2.88% chance of exploitation in the next 30 days.

Description

Heap-based buffer overflow in ARM mbed TLS (formerly PolarSSL) 1.3.x before 1.3.14 and 2.x before 2.1.2 allows remote SSL servers to cause a denial of service (client crash) and possibly execute arbitrary code via a long session ticket name to the session ticket extension, which is not properly handled when creating a ClientHello message to resume a session. NOTE: this identifier was SPLIT from CVE-2015-5291 per ADT3 due to different affected version ranges.

Metrics

EPSS Probability

2.88%

85.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-119

Affected Software

Vendor	Product	Versions
Polarssl	Polarssl	<= 1.2.17
Trustedfirmware	Mbed Tls	>= 1.3.0, < 1.3.14
Trustedfirmware	Mbed Tls	>= 2.0.0, < 2.1.2
Debian	Debian Linux	7.0
Debian	Debian Linux	8.0
Fedoraproject	Fedora	21
Opensuse	Opensuse	13.2

References

http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169625.htmlMailing List, Third Party Advisory
http://lists.opensuse.org/opensuse-updates/2016-08/msg00009.htmlMailing List, Third Party Advisory
http://www.debian.org/security/2016/dsa-3468Mailing List, Third Party Advisory
https://guidovranken.files.wordpress.com/2015/10/cve-2015-5291.pdfThird Party Advisory
https://guidovranken.wordpress.com/2015/10/07/cve-2015-5291/Third Party Advisory
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01Vendor Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169625.htmlMailing List, Third Party Advisory
http://lists.opensuse.org/opensuse-updates/2016-08/msg00009.htmlMailing List, Third Party Advisory
http://www.debian.org/security/2016/dsa-3468Mailing List, Third Party Advisory
https://guidovranken.files.wordpress.com/2015/10/cve-2015-5291.pdfThird Party Advisory
https://guidovranken.wordpress.com/2015/10/07/cve-2015-5291/Third Party Advisory
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01Vendor Advisory

Timeline

Published: Nov 2, 2015
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2015-8036?

How severe is CVE-2015-8036?

Severity scoring for CVE-2015-8036 is pending analysis. The EPSS model estimates a 2.88% probability of exploitation in the next 30 days.

How do I fix CVE-2015-8036?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2015-8036?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST