Mbed TLS before 3.6.4 allows a use-after-free in certain situations of applications that are developed in accordance with the documentation. The function mbedtls_x509_string_to_names() takes a head argument that is documented as an output argument. The documentation does not suggest that the function will free that pointer; however, the function does call mbedtls_asn1_free_named_data_list() on that argument, which performs a deep free(). As a result, application code that uses this function (relying only on documented behavior) is likely to still hold pointers to the memory blocks that were freed, resulting in a high risk of use-after-free or double-free. In particular, the two sample programs x509/cert_write and x509/cert_req are affected (use-after-free if the san string contains more than one DN).
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Thu, 07 Aug 2025 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Arm
Arm mbed Tls
CPEs cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:*
Vendors & Products Arm
Arm mbed Tls

Tue, 22 Jul 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Sun, 20 Jul 2025 18:45:00 +0000

Type Values Removed Values Added
Description Mbed TLS before 3.6.4 allows a use-after-free in certain situations of applications that are developed in accordance with the documentation. The function mbedtls_x509_string_to_names() takes a head argument that is documented as an output argument. The documentation does not suggest that the function will free that pointer; however, the function does call mbedtls_asn1_free_named_data_list() on that argument, which performs a deep free(). As a result, application code that uses this function (relying only on documented behavior) is likely to still hold pointers to the memory blocks that were freed, resulting in a high risk of use-after-free or double-free. In particular, the two sample programs x509/cert_write and x509/cert_req are affected (use-after-free if the san string contains more than one DN).
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 8.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2025-07-22T14:22:38.872Z

Reserved: 2025-05-14T00:00:00.000Z

Link: CVE-2025-47917

cve-icon Vulnrichment

Updated: 2025-07-22T14:22:35.575Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-20T19:15:23.847

Modified: 2025-08-07T01:18:26.983

Link: CVE-2025-47917

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-07-21T15:16:53Z