CVE-2025-27810: Mbed TLS before 2.28.10 and 3.x before 3.6.3, in some cases of failed memory allocation or...

The vulnerability (CVE-2025-27810) describes a scenario where Mbed TLS uses uninitialized stack memory to compose the TLS Finished message due to failed memory allocation or hardware errors. The provided commits (primarily 68014b2b80491318eb7e08b1d690e7ebe27d249f) show modifications to the calc_finished family of functions (ssl_calc_finished_ssl, ssl_calc_finished_tls, ssl_calc_finished_tls_sha256, ssl_calc_finished_tls_sha384). These functions are responsible for computing the Finished message. The patches change their return type from void to int and ensure that errors from underlying cryptographic operations (specifically PSA functions like psa_hash_clone and psa_hash_finish in the SHA256/384 variants) are propagated. Before the patch, if these operations failed, the functions would return without an error, and a stack-allocated buffer (padbuf) used in the PRF calculation for the Finished message could contain uninitialized data. This uninitialized padbuf would then be used to generate the buf (the content of the Finished message), leading to the vulnerability. The functions mbedtls_ssl_write_finished and mbedtls_ssl_parse_finished were also patched to check the return values of these calc_finished functions, but the core issue of using uninitialized memory for composition lies within the calc_finished functions themselves.