CVE-2024-45157

Name: CVE-2024-45157
Creator: NVD / NIST
Published: 2024-09-05T19:15:12.96+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 5.1/10EPSS 0.24%

Last modified Jun 17, 2026

CVE-2024-45157 is a medium-severity vulnerability rated 5.1/10 on the CVSS scale. An issue was discovered in Mbed TLS before 2.28.9 and 3.x before 3.6.1, in which the user-selected algorithm is not used. Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled.. EPSS estimates a 0.24% chance of exploitation in the next 30 days.

Description

An issue was discovered in Mbed TLS before 2.28.9 and 3.x before 3.6.1, in which the user-selected algorithm is not used. Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled.

Metrics

CVSS 3.1

5.1/10

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Probability

0.24%

14.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-696

Affected Software

Vendor	Product	Versions
Trustedfirmware	Mbed Tls	>= 2.26.0, < 2.28.9
Trustedfirmware	Mbed Tls	>= 3.2.0, < 3.6.1

References

https://github.com/Mbed-TLS/mbedtls/releases/Release Notes
https://mbed-tls.readthedocs.io/en/latest/security-advisories/Vendor Advisory
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-08-1/Vendor Advisory

Timeline

Published: Sep 5, 2024
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2024-45157?

How severe is CVE-2024-45157?

CVE-2024-45157 has a CVSS score of 5.1/10 (MEDIUM severity). The EPSS model estimates a 0.24% probability of exploitation in the next 30 days.

How do I fix CVE-2024-45157?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-45157?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST