CVE-2025-47917
Published: 20 July 2025
Summary
CVE-2025-47917 is a high-severity Use After Free (CWE-416) vulnerability in Arm Mbed Tls. Its CVSS base score is 8.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the use-after-free vulnerability by requiring timely remediation through upgrading Mbed TLS to version 3.6.4 or later as recommended in the security advisory.
Enables proactive scanning and monitoring to identify systems using vulnerable Mbed TLS versions affected by CVE-2025-47917 during certificate parsing or generation.
Provides memory protection mechanisms such as ASLR and DEP that reduce the exploitability of the use-after-free leading to code execution or DoS.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in Mbed TLS x509 parsing function directly enables remote exploitation of public-facing applications via crafted certificate input (multi-DN SAN) leading to code execution/memory corruption.
NVD Description
Mbed TLS before 3.6.4 allows a use-after-free in certain situations of applications that are developed in accordance with the documentation. The function mbedtls_x509_string_to_names() takes a head argument that is documented as an output argument. The documentation does not suggest that…
more
the function will free that pointer; however, the function does call mbedtls_asn1_free_named_data_list() on that argument, which performs a deep free(). As a result, application code that uses this function (relying only on documented behavior) is likely to still hold pointers to the memory blocks that were freed, resulting in a high risk of use-after-free or double-free. In particular, the two sample programs x509/cert_write and x509/cert_req are affected (use-after-free if the san string contains more than one DN).
Deeper analysisAI
CVE-2025-47917 is a use-after-free vulnerability (CWE-416) in the Mbed TLS cryptographic library versions prior to 3.6.4. The issue arises in the mbedtls_x509_string_to_names() function, which accepts a head argument documented solely as an output parameter. Contrary to the documentation, the function internally calls mbedtls_asn1_free_named_data_list() on this argument, performing a deep free. Applications developed in strict accordance with the documentation may retain pointers to the freed memory, leading to use-after-free or double-free conditions. Notably, the library's sample programs x509/cert_write and x509/cert_req are affected, triggering use-after-free when the SAN string contains more than one distinguished name (DN).
Remote attackers require no privileges or user interaction (CVSS:3.1/AV:N/AC:H/PR:N/UI:N) but face high attack complexity to exploit this over the network. Successful exploitation changes scope (S:C) and can result in low confidentiality impact alongside high integrity and availability impacts (C:L/I:H/A:H), with an overall score of 8.9. Attackers could potentially achieve arbitrary code execution, memory corruption, or denial of service by supplying crafted input, such as a multi-DN SAN string, to applications invoking the vulnerable function during certificate parsing or generation.
The Mbed TLS security advisory (2025-06-7) and related documentation recommend upgrading to version 3.6.4 or later, where the function's behavior is corrected to align with documentation. Debian LTS announcements detail backported fixes for affected distributions, urging users to apply updates promptly to mitigate risks in dependent applications.
Details
- CWE(s)