CVE-2025-49600
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-04

Last updated on: 2025-07-17

Assigner: MITRE

Description
In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_verify may accept invalid signatures if hash computation fails and internal errors go unchecked, enabling LMS (Leighton-Micali Signature) forgery in a fault scenario. Specifically, unchecked return values in mbedtls_lms_verify allow an attacker (who can induce a hardware hash accelerator fault) to bypass LMS signature verification by reusing stale stack data, resulting in acceptance of an invalid signature. In mbedtls_lms_verify, the return values of the internal Merkle tree functions create_merkle_leaf_value and create_merkle_internal_value are not checked. These functions return an integer that indicates whether the call succeeded or not. If a failure occurs, the output buffer (Tc_candidate_root_node) may remain uninitialized, and the result of the signature verification is unpredictable. When the software implementation of SHA-256 is used, these functions will not fail. However, with hardware-accelerated hashing, an attacker could use fault injection against the accelerator to bypass verification.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-04
Last Modified
2025-07-17
Generated
2026-05-07
AI Q&A
2025-07-04
EPSS Evaluated
2026-05-05
NVD
CVE-2025-49600
EUVD
EUVD-2025-20080
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
arm mbed_tls From 3.3.0 (inc) to 3.6.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-325 The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in MbedTLS versions 3.3.0 before 3.6.4 involves the mbedtls_lms_verify function potentially accepting invalid LMS signatures if hash computation fails and errors are not checked. Specifically, unchecked return values from internal Merkle tree functions can lead to uninitialized data being used, allowing an attacker who can induce faults in a hardware hash accelerator to bypass signature verification by reusing stale stack data, resulting in acceptance of forged signatures.


How can this vulnerability impact me? :

The vulnerability allows an attacker capable of inducing faults in hardware hash accelerators to bypass LMS signature verification, potentially enabling signature forgery. This could lead to acceptance of invalid signatures, undermining the integrity of cryptographic operations that rely on LMS signatures, and possibly allowing unauthorized actions or data to be accepted as valid.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update MbedTLS to version 3.6.4 or later where the issue with unchecked return values in mbedtls_lms_verify is fixed. Additionally, avoid using hardware-accelerated hashing modules that may be susceptible to fault injection attacks until patched. Implement hardware protections against fault injection if possible.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart