CVE-2025-47917
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-20

Last updated on: 2025-11-03

Assigner: MITRE

Description
Mbed TLS before 3.6.4 allows a use-after-free in certain situations of applications that are developed in accordance with the documentation. The function mbedtls_x509_string_to_names() takes a head argument that is documented as an output argument. The documentation does not suggest that the function will free that pointer; however, the function does call mbedtls_asn1_free_named_data_list() on that argument, which performs a deep free(). As a result, application code that uses this function (relying only on documented behavior) is likely to still hold pointers to the memory blocks that were freed, resulting in a high risk of use-after-free or double-free. In particular, the two sample programs x509/cert_write and x509/cert_req are affected (use-after-free if the san string contains more than one DN).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-20
Last Modified
2025-11-03
Generated
2026-05-07
AI Q&A
2025-07-20
EPSS Evaluated
2026-05-05
NVD
CVE-2025-47917
EUVD
EUVD-2025-22035
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
arm mbed_tls to 3.6.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a use-after-free issue in Mbed TLS versions before 3.6.4. The function mbedtls_x509_string_to_names() is documented to output data via a pointer argument without freeing it. However, internally, it frees the memory pointed to by this argument, which is unexpected. As a result, applications that rely on the documented behavior may continue to use pointers to memory that has already been freed, leading to use-after-free or double-free errors. This particularly affects sample programs like x509/cert_write and x509/cert_req when the subject alternative name (san) string contains more than one distinguished name (DN).


How can this vulnerability impact me? :

The vulnerability can lead to use-after-free or double-free conditions in applications using Mbed TLS, which can cause crashes, memory corruption, or potentially allow an attacker to execute arbitrary code or cause denial of service. Given the CVSS score of 8.9, it is considered a high severity issue with network attack vector, requiring high attack complexity but no privileges or user interaction. This can impact the stability and security of applications relying on Mbed TLS for cryptographic operations.


What immediate steps should I take to mitigate this vulnerability?

Update Mbed TLS to version 3.6.4 or later, as this version fixes the use-after-free vulnerability in the mbedtls_x509_string_to_names() function. Avoid using affected sample programs such as x509/cert_write and x509/cert_req with SAN strings containing more than one DN until the update is applied.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart