CVE-2025-47917

{"id": "CVE-2025-47917", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cve@mitre.org", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.9, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 6.0, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2025-07-20T19:15:23.847", "references": [{"url": "https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2025-06-7.md", "tags": ["Third Party Advisory", "Mitigation"], "source": "cve@mitre.org"}, {"url": "https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories/", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "cve@mitre.org", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "Mbed TLS before 3.6.4 allows a use-after-free in certain situations of applications that are developed in accordance with the documentation. The function mbedtls_x509_string_to_names() takes a head argument that is documented as an output argument. The documentation does not suggest that the function will free that pointer; however, the function does call mbedtls_asn1_free_named_data_list() on that argument, which performs a deep free(). As a result, application code that uses this function (relying only on documented behavior) is likely to still hold pointers to the memory blocks that were freed, resulting in a high risk of use-after-free or double-free. In particular, the two sample programs x509/cert_write and x509/cert_req are affected (use-after-free if the san string contains more than one DN)."}, {"lang": "es", "value": "Mbed TLS anterior a la versi\u00f3n 3.6.4 permite el use-after-free en ciertas situaciones de aplicaciones desarrolladas de acuerdo con la documentaci\u00f3n. La funci\u00f3n mbedtls_x509_string_to_names() toma un argumento principal documentado como argumento de salida. La documentaci\u00f3n no sugiere que la funci\u00f3n libere dicho puntero; sin embargo, la funci\u00f3n llama a mbedtls_asn1_free_named_data_list() con dicho argumento, lo que realiza una liberaci\u00f3n profunda. Como resultado, es probable que el c\u00f3digo de la aplicaci\u00f3n que utiliza esta funci\u00f3n (bas\u00e1ndose \u00fanicamente en el comportamiento documentado) a\u00fan contenga punteros a los bloques de memoria liberados, lo que resulta en un alto riesgo de use-after-free o doble liberaci\u00f3n. En particular, los dos programas de ejemplo x509/cert_write y x509/cert_req se ven afectados (use-after-free si la cadena san contiene m\u00e1s de un DN)."}], "lastModified": "2025-08-07T01:18:26.983", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DB29564B-3A9D-4AC0-8F39-052B7A555C19", "versionEndExcluding": "3.6.4"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}