Cyber Resilience

CVE-2025-47917

High

Published: 20 July 2025

Published
20 July 2025
Modified
03 November 2025
KEV Added
Patch
CVSS Score v3.1 8.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H
EPSS Score 0.0843 92.5th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-47917 is a high-severity Use After Free (CWE-416) vulnerability in Arm Mbed Tls. Its CVSS base score is 8.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

Mbed TLS before version 3.6.4 contains a use-after-free vulnerability (CWE-416) in the function mbedtls_x509_string_to_names(). The routine performs a deep free via mbedtls_asn1_free_named_data_list() on its head argument, even though the documentation presents this argument solely as an output parameter whose storage remains under application control. Applications and the supplied sample programs x509/cert_write and x509/cert_req that follow only the documented contract therefore retain dangling pointers, exposing them to subsequent use-after-free or double-free conditions.

An unauthenticated remote attacker can trigger the flaw by supplying crafted certificate signing requests or certificate data containing multiple distinguished names in the subject alternative name field. Successful exploitation yields high-complexity but high-impact outcomes that include integrity and availability compromise with limited confidentiality loss and a scope change, as reflected in the CVSS 8.9 rating.

Advisories published by the Mbed TLS project and mirrored in Debian LTS lists recommend upgrading to 3.6.4 or later; the EPSS score has remained low, moving only from 0.0843 to a peak of 0.0990 with no reported in-the-wild exploitation.

EU & UK References

Vulnerability details

Mbed TLS before 3.6.4 allows a use-after-free in certain situations of applications that are developed in accordance with the documentation. The function mbedtls_x509_string_to_names() takes a head argument that is documented as an output argument. The documentation does not suggest that…

more

the function will free that pointer; however, the function does call mbedtls_asn1_free_named_data_list() on that argument, which performs a deep free(). As a result, application code that uses this function (relying only on documented behavior) is likely to still hold pointers to the memory blocks that were freed, resulting in a high risk of use-after-free or double-free. In particular, the two sample programs x509/cert_write and x509/cert_req are affected (use-after-free if the san string contains more than one DN).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Use-after-free in Mbed TLS x509 parsing function directly enables remote exploitation of public-facing applications via crafted certificate input (multi-DN SAN) leading to code execution/memory corruption.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-34877Same product: Arm Mbed Tls
CVE-2026-34872Same product: Arm Mbed Tls
CVE-2025-0015Same vendor: Arm
CVE-2025-63651Shared CWE-416
CVE-2026-31972Shared CWE-416
CVE-2025-70968Shared CWE-416
CVE-2026-0794Shared CWE-416
CVE-2026-32942Shared CWE-416
CVE-2024-45434Shared CWE-416
CVE-2026-45185Shared CWE-416

Affected Assets

arm
mbed tls
≤ 3.6.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the use-after-free vulnerability by requiring timely remediation through upgrading Mbed TLS to version 3.6.4 or later as recommended in the security advisory.

detect

Enables proactive scanning and monitoring to identify systems using vulnerable Mbed TLS versions affected by CVE-2025-47917 during certificate parsing or generation.

prevent

Provides memory protection mechanisms such as ASLR and DEP that reduce the exploitability of the use-after-free leading to code execution or DoS.

References