CVE-2025-47917
Published: 20 July 2025
Summary
CVE-2025-47917 is a high-severity Use After Free (CWE-416) vulnerability in Arm Mbed Tls. Its CVSS base score is 8.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
Mbed TLS before version 3.6.4 contains a use-after-free vulnerability (CWE-416) in the function mbedtls_x509_string_to_names(). The routine performs a deep free via mbedtls_asn1_free_named_data_list() on its head argument, even though the documentation presents this argument solely as an output parameter whose storage remains under application control. Applications and the supplied sample programs x509/cert_write and x509/cert_req that follow only the documented contract therefore retain dangling pointers, exposing them to subsequent use-after-free or double-free conditions.
An unauthenticated remote attacker can trigger the flaw by supplying crafted certificate signing requests or certificate data containing multiple distinguished names in the subject alternative name field. Successful exploitation yields high-complexity but high-impact outcomes that include integrity and availability compromise with limited confidentiality loss and a scope change, as reflected in the CVSS 8.9 rating.
Advisories published by the Mbed TLS project and mirrored in Debian LTS lists recommend upgrading to 3.6.4 or later; the EPSS score has remained low, moving only from 0.0843 to a peak of 0.0990 with no reported in-the-wild exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-22035
Vulnerability details
Mbed TLS before 3.6.4 allows a use-after-free in certain situations of applications that are developed in accordance with the documentation. The function mbedtls_x509_string_to_names() takes a head argument that is documented as an output argument. The documentation does not suggest that…
more
the function will free that pointer; however, the function does call mbedtls_asn1_free_named_data_list() on that argument, which performs a deep free(). As a result, application code that uses this function (relying only on documented behavior) is likely to still hold pointers to the memory blocks that were freed, resulting in a high risk of use-after-free or double-free. In particular, the two sample programs x509/cert_write and x509/cert_req are affected (use-after-free if the san string contains more than one DN).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in Mbed TLS x509 parsing function directly enables remote exploitation of public-facing applications via crafted certificate input (multi-DN SAN) leading to code execution/memory corruption.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the use-after-free vulnerability by requiring timely remediation through upgrading Mbed TLS to version 3.6.4 or later as recommended in the security advisory.
Enables proactive scanning and monitoring to identify systems using vulnerable Mbed TLS versions affected by CVE-2025-47917 during certificate parsing or generation.
Provides memory protection mechanisms such as ASLR and DEP that reduce the exploitability of the use-after-free leading to code execution or DoS.