Issue
A limited buffer underflow exists in x509_inet_pton_ipv6() when parsing IPv6 addresses in X.509 certificates and related inputs. In rare cases — for example on platforms with memory protection where the over-read crosses a page boundary — this can lead to a denial of service. Affects Mbed TLS 3.5.0 through 3.6.5.
https://nvd.nist.gov/vuln/detail/CVE-2026-25833
Workaround
Update to mbedTLS v3.6.6, TF-PSA-Crypto 1.1.0, or a newer version of either.
FSP v6.5.0 (scheduled for 2026/05/27) includes mbedTLS v3.6.6.
Issue
A limited buffer underflow exists in x509_inet_pton_ipv6() when parsing IPv6 addresses in X.509 certificates and related inputs. In rare cases — for example on platforms with memory protection where the over-read crosses a page boundary — this can lead to a denial of service. Affects Mbed TLS 3.5.0 through 3.6.5.
https://nvd.nist.gov/vuln/detail/CVE-2026-25833
Workaround
Update to mbedTLS v3.6.6, TF-PSA-Crypto 1.1.0, or a newer version of either.
FSP v6.5.0 (scheduled for 2026/05/27) includes mbedTLS v3.6.6.