Mbed TLS up to 3.6.3 mbedtls_x509_string_to_names head use after free
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 7.9 | $0-$5k | 0.00 |
Summary
A vulnerability marked as critical has been reported in Mbed TLS up to 3.6.3. Affected is the function mbedtls_x509_string_to_names. This manipulation of the argument head causes use after free.
This vulnerability is handled as CVE-2025-47917. The attack can be initiated remotely. Additionally, an exploit exists.
It is suggested to upgrade the affected component.
Details
A vulnerability was found in Mbed TLS up to 3.6.3. It has been declared as critical. Affected by this vulnerability is the function mbedtls_x509_string_to_names. The manipulation of the argument head with an unknown input leads to a use after free vulnerability. The CWE definition for the vulnerability is CWE-416. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:
Mbed TLS before 3.6.4 allows a use-after-free in certain situations of applications that are developed in accordance with the documentation. The function mbedtls_x509_string_to_names() takes a head argument that is documented as an output argument. The documentation does not suggest that the function will free that pointer; however, the function does call mbedtls_asn1_free_named_data_list() on that argument, which performs a deep free(). As a result, application code that uses this function (relying only on documented behavior) is likely to still hold pointers to the memory blocks that were freed, resulting in a high risk of use-after-free or double-free. In particular, the two sample programs x509/cert_write and x509/cert_req are affected (use-after-free if the san string contains more than one DN).
The advisory is shared at mbed-tls.readthedocs.io. This vulnerability is known as CVE-2025-47917 since 05/14/2025. The exploitation appears to be difficult. The attack can be launched remotely. The exploitation doesn't need any form of authentication. Technical details and also a public exploit are known.
It is possible to download the exploit at exploit-db.com. It is declared as proof-of-concept.
Upgrading to version 3.6.4 eliminates this vulnerability.
The vulnerability is also documented in the databases at Exploit-DB (52427) and EUVD (EUVD-2025-22035). Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Product
Vendor
Name
Version
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔒VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 8.1VulDB Meta Temp Score: 7.9
VulDB Base Score: 5.6
VulDB Temp Score: 5.1
VulDB Vector: 🔒
VulDB Reliability: 🔍
NVD Base Score: 9.8
NVD Vector: 🔒
CNA Base Score: 8.9
CNA Vector (MITRE): 🔒
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Exploiting
Class: Use after freeCWE: CWE-416 / CWE-119
CAPEC: 🔒
ATT&CK: 🔒
Physical: No
Local: No
Remote: Yes
Availability: 🔒
Access: Public
Status: Proof-of-Concept
Download: 🔒
EPSS Score: 🔒
EPSS Percentile: 🔒
Price Prediction: 🔍
Current Price Estimation: 🔒
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Exploit-DB: 🔒
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔒
Upgrade: TLS 3.6.4
Timeline
05/14/2025 CVE reserved07/20/2025 Advisory disclosed
07/20/2025 VulDB entry created
09/17/2025 VulDB entry last update
Sources
Advisory: mbed-tls.readthedocs.ioStatus: Confirmed
CVE: CVE-2025-47917 (🔒)
GCVE (CVE): GCVE-0-2025-47917
GCVE (VulDB): GCVE-100-317041
EUVD: 🔒
scip Labs: https://www.scip.ch/en/?labs.20161013
Entry
Created: 07/20/2025 22:16Updated: 09/17/2025 05:08
Changes: 07/20/2025 22:16 (65), 07/20/2025 23:09 (1), 08/07/2025 03:29 (12), 09/17/2025 05:08 (11)
Complete: 🔍
Cache ID: 216::103
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
No comments yet. Languages: en.
Please log in to comment.