CVE-2015-5291

Heap-based buffer overflow in PolarSSL 1.x before 1.2.17 and ARM mbed TLS (formerly PolarSSL) 1.3.x before 1.3.14 and 2.x before 2.1.2 allows remote SSL servers to cause a denial of service (client crash) and possibly execute arbitrary code via a long hostname to the server name indication (SNI) extension, which is not properly handled when creating a ClientHello message. NOTE: this identifier has been SPLIT per ADT3 due to different affected version ranges. See CVE-2015-8036 for the session ticket issue that was introduced in 1.3.0.

Published: 2015-11-02 Last update: 2026-06-05 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2015-5291 is rated Moderate Risk (56.8/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 2.05%). Review affected assets and schedule remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2015-5291

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-03-03 1.71% 2.05% +0.34%
2 2025-03-30 3.45% 1.71% -1.74%
3 2025-03-29 3.45%

Full EPSS history (11 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2015-5291

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
6.8 2.0 MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:M)
Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:P)
Partial availability impact.
 8.6 6.4 [email protected]

Weakness enumeration for CVE-2015-5291

OS Trackers for CVE-2015-5291

vendor priority summary link
debian unimportant CVE-2015-5291 unimportant priority: Debian including 1 source packages (mbedtls), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2015-5291
gentoo high CVE-2015-5291: 1 GLSA(s) (201706-18), 1 atom(s) (net-libs/mbedtls); latest impact high. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2015-5291
ubuntu medium CVE-2015-5291 medium priority: Ubuntu including 2 source packages (mbedtls, polarssl), 23 status rows across 12 suites (artful, bionic, cosmic, disco, precise, trusty, upstream, vivid, wily, xenial, yakkety, zesty): DNE 11, not-affected 7, released 3, ignored 2. https://ubuntu.com/security/CVE-2015-5291

Affected software / configurations for CVE-2015-5291

Vendor Product Version Raw CPE
polarssl polarssl >= 1.0.0, < 1.2.17 cpe:2.3:a:polarssl:polarssl:*:*:*:*:*:*:*:*
trustedfirmware mbed_tls >= 1.3.0, < 1.3.14 cpe:2.3:a:trustedfirmware:mbed_tls:*:*:*:*:*:*:*:*
trustedfirmware mbed_tls >= 2.0.0, < 2.1.2 cpe:2.3:a:trustedfirmware:mbed_tls:*:*:*:*:*:*:*:*
debian debian_linux 7.0 cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
debian debian_linux 8.0 cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
fedoraproject fedora 21 cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*
fedoraproject fedora 22 cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*
fedoraproject fedora 23 cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*
opensuse leap 42.1 cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*
opensuse opensuse 13.2 cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*

References for CVE-2015-5291

URL Tags
http://lists.fedoraproject.org/pipermail/package-announce/2015-November/170317.html Mailing List Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169625.html Mailing List Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169765.html Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00013.html Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-updates/2015-12/msg00119.html Mailing List Third Party Advisory
http://www.debian.org/security/2016/dsa-3468 Third Party Advisory
https://guidovranken.files.wordpress.com/2015/10/cve-2015-5291.pdf Third Party Advisory
https://guidovranken.wordpress.com/2015/10/07/cve-2015-5291/ Third Party Advisory
https://security.gentoo.org/glsa/201706-18 Third Party Advisory
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01 Vendor Advisory
cvelogic Threat Intelligence