CVE-2025-49601 — Out-of-bounds Read in Mbedtls

CWE-125 — Out-of-bounds Read6 documents6 sources

Severity

6.5MEDIUMNVD

CNA4.8

EPSS

0.1%

top 79.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mbed Mbedtls ARM Mbed TLS

Timeline

PublishedJul 4

Latest updateJul 7

Description

In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_import_public_key does not check that the input buffer is at least 4 bytes before reading a 32-bit field, allowing a possible out-of-bounds read on truncated input. Specifically, an out-of-bounds read in mbedtls_lms_import_public_key allows context-dependent attackers to trigger a crash or limited adjacent-memory disclosure by supplying a truncated LMS (Leighton-Micali Signature) public-key buffer under four bytes. An LMS public key starts with a 4-byte…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:LExploitability: 3.9 | Impact: 2.5

Affected Packages3 packages

▶CVEListV5mbed/mbedtls3.3.0 — 3.6.4

▶NVDarm/mbed_tls3.3.0 — 3.6.4

▶Debianmbed/mbedtls< 3.6.4-1+1

🔴Vulnerability Details

OSV

CVE-2025-49601: In MbedTLS 3↗2025-07-04

▶

GHSA

GHSA-h9v9-9rwj-pmq9: In MbedTLS 3↗2025-07-04

▶

CVEList

CVE-2025-49601: In MbedTLS 3↗2025-07-04

▶

📋Vendor Advisories

Debian

CVE-2025-49601: mbedtls - In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_import_public_key does not check that...↗2025

▶

💬Community

Bugzilla

CVE-2025-49601 micropython: MbedTLS LMS Public Key Out-of-Bounds Read [fedora-all]↗2025-07-07

▶