CVE-2025-49600 — Missing Cryptographic Step in Mbedtls

CWE-325 — Missing Cryptographic Step6 documents6 sources

Severity

4.9MEDIUMNVD

EPSS

0.0%

top 97.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mbed Mbedtls ARM Mbed TLS

Timeline

PublishedJul 4

Latest updateJul 7

Description

In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_verify may accept invalid signatures if hash computation fails and internal errors go unchecked, enabling LMS (Leighton-Micali Signature) forgery in a fault scenario. Specifically, unchecked return values in mbedtls_lms_verify allow an attacker (who can induce a hardware hash accelerator fault) to bypass LMS signature verification by reusing stale stack data, resulting in acceptance of an invalid signature. In mbedtls_lms_verify, the return values of th…

CVSS vector

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:NExploitability: 0.5 | Impact: 4.0

Affected Packages3 packages

▶CVEListV5mbed/mbedtls3.3.0 — 3.6.4

▶NVDarm/mbed_tls3.3.0 — 3.6.4

▶Debianmbed/mbedtls< 3.6.4-1+1

🔴Vulnerability Details

GHSA

GHSA-r3gf-c2cf-vp8q: In MbedTLS 3↗2025-07-04

▶

CVEList

CVE-2025-49600: In MbedTLS 3↗2025-07-04

▶

OSV

CVE-2025-49600: In MbedTLS 3↗2025-07-04

▶

📋Vendor Advisories

Debian

CVE-2025-49600: mbedtls - In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_verify may accept invalid signatures ...↗2025

▶

💬Community

Bugzilla

CVE-2025-49600 micropython: MbedTLS LMS Signature Forgery via Fault Injection [fedora-all]↗2025-07-07

▶