CVE-2018-19608 in ARM mbed TLS
Summary
by MITRE
Arm Mbed TLS before 2.14.1, before 2.7.8, and before 2.1.17 allows a local unprivileged attacker to recover the plaintext of RSA decryption, which is used in RSA-without-(EC)DH(E) cipher suites.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/05/2026
This vulnerability affects Arm Mbed TLS versions prior to 2.14.1, 2.7.8, and 2.1.17, specifically targeting RSA decryption operations within RSA-without-(EC)DH(E) cipher suites. The flaw represents a serious cryptographic weakness that enables local unprivileged attackers to recover plaintext data that should remain protected during RSA decryption processes. The vulnerability stems from insufficient protection mechanisms during RSA decryption operations, creating a potential pathway for attackers to exploit the cryptographic implementation.
The technical implementation flaw involves the lack of proper padding validation and timing attack resistance during RSA decryption operations. When the library processes RSA decryption requests within the specified cipher suites, it fails to adequately protect against side-channel attacks that could reveal information about the decrypted plaintext. This weakness is particularly concerning because it affects the fundamental security guarantees of RSA encryption, which is widely used for secure communications and authentication processes. The vulnerability allows attackers to potentially reconstruct sensitive data through careful analysis of the decryption process behavior.
The operational impact of this vulnerability extends beyond simple information disclosure, as it undermines the core security assumptions of RSA-based cryptographic implementations. Local unprivileged attackers can exploit this weakness to recover plaintext data that should remain confidential, potentially compromising secure communications, digital signatures, and authentication mechanisms. This vulnerability particularly affects systems using Mbed TLS in server configurations where RSA-without-(EC)DH(E) cipher suites are enabled, making it a significant concern for organizations maintaining legacy systems or those with outdated cryptographic libraries.
Mitigation strategies should focus on immediate patching of affected Mbed TLS versions to the recommended secure releases. Organizations should conduct comprehensive inventory assessments to identify all systems utilizing vulnerable Mbed TLS versions and prioritize remediation efforts accordingly. Security teams should also consider implementing additional monitoring for suspicious cryptographic operations and potentially disabling RSA-without-(EC)DH(E) cipher suites if they are not strictly required for operational functionality. The vulnerability aligns with CWE-310 and ATT&CK techniques related to cryptographic attacks and credential access, emphasizing the need for comprehensive cryptographic security reviews and proper implementation of side-channel resistance mechanisms.