ALT-PU-2025-16849-1

BDU:2025-09511

MEDIUM4.0

Уязвимость программного обеспечения Mbed TLS, связанная с использованием скрытых временных каналов для передачи данных, позволяющая нарушителю восстановить открытый текст

Published: 2025-08-08Modified: 2025-09-10

CVSS 3.xMEDIUM 4.0

CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

CVSS 2.0LOW 2.6

CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:N/A:N

References

CVE-2025-49087

BDU:2025-09512

MEDIUM4.0

Уязвимость функции mbedtls_asn1_store_named_data программного обеспечения Mbed TLS, позволяющая нарушителю выполнить произвольный код

Published: 2025-08-08

CVSS 3.xMEDIUM 4.0

CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L

CVSS 2.0LOW 2.6

CVSS:2.0/AV:N/AC:H/Au:N/C:N/I:N/A:P

References

CVE-2025-48965

BDU:2025-09513

HIGH8.9

Уязвимость функции mbedtls_x509_string_to_names программного обеспечения Mbed TLS, позволяющая нарушителю выполнить произвольный код

Published: 2025-08-08Modified: 2025-11-26

CVSS 3.xHIGH 8.9

CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H

CVSS 2.0HIGH 7.3

CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:C/A:C

References

CVE-2025-47917

BDU:2025-09514

MEDIUM4.8

Уязвимость функции mbedtls_lms_import_public_key() программного обеспечения Mbed TLS, позволяющая нарушителю вызвать отказ в обслуживании или раскрыть защищаемую информацию

Published: 2025-08-08

CVSS 3.xMEDIUM 4.8

CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L

CVSS 2.0MEDIUM 4.0

CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:N/A:P

References

CVE-2025-49601

BDU:2025-09515

MEDIUM4.9

Уязвимость функции mbedtls_lms_verify() программного обеспечения Mbed TLS, позволяющая нарушителю обойти существующие ограничения безопасности

Published: 2025-08-08

CVSS 3.xMEDIUM 4.9

CVSS:3.x/AV:P/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

CVSS 2.0MEDIUM 4.0

CVSS:2.0/AV:L/AC:H/Au:N/C:N/I:C/A:N

References

CVE-2025-49600

BDU:2025-09516

MEDIUM4.8

Уязвимость функций mbedtls_pem_read_buffer(), mbedtls_pk_parse() программного обеспечения Mbed TLS, позволяющая нарушителю вызвать отказ в обслуживании или раскрыть защищаемую информацию

Published: 2025-08-08

CVSS 3.xMEDIUM 4.8

CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L

CVSS 2.0MEDIUM 4.0

CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:N/A:P

References

CVE-2025-52497

BDU:2025-09517

HIGH7.8

Уязвимость функции mbedtls_aesni_has_support() программного обеспечения Mbed TLS, позволяющая нарушителю оказать воздействие на целостность и конфиденциальность защищаемой информации

Published: 2025-08-08Modified: 2025-11-26

CVSS 3.xHIGH 7.8

CVSS:3.x/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

CVSS 2.0MEDIUM 5.6

CVSS:2.0/AV:L/AC:H/Au:N/C:C/I:C/A:N

References

CVE-2025-52496

CVE-2025-47917

CRITICAL9.8

Mbed TLS before 3.6.4 allows a use-after-free in certain situations of applications that are developed in accordance with the documentation. The function mbedtls_x509_string_to_names() takes a head argument that is documented as an output argument. The documentation does not suggest that the function will free that pointer; however, the function does call mbedtls_asn1_free_named_data_list() on that argument, which performs a deep free(). As a result, application code that uses this function (relying only on documented behavior) is likely to still hold pointers to the memory blocks that were freed, resulting in a high risk of use-after-free or double-free. In particular, the two sample programs x509/cert_write and x509/cert_req are affected (use-after-free if the san string contains more than one DN).

Published: 2025-07-20Modified: 2025-11-03

CVSS 3.xCRITICAL 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CVE-2025-48965

HIGH7.5

Mbed TLS before 3.6.4 has a NULL pointer dereference because mbedtls_asn1_store_named_data can trigger conflicting data with val.p of NULL but val.len greater than zero.

Published: 2025-07-20Modified: 2025-11-03

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

CVE-2025-49087

LOW3.7

In Mbed TLS 3.6.1 through 3.6.3 before 3.6.4, a timing discrepancy in block cipher padding removal allows an attacker to recover the plaintext when PKCS#7 padding mode is used.

Published: 2025-07-20Modified: 2025-08-07

CVSS 3.xLOW 3.7

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

References

CVE-2025-49600

MEDIUM4.9

In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_verify may accept invalid signatures if hash computation fails and internal errors go unchecked, enabling LMS (Leighton-Micali Signature) forgery in a fault scenario. Specifically, unchecked return values in mbedtls_lms_verify allow an attacker (who can induce a hardware hash accelerator fault) to bypass LMS signature verification by reusing stale stack data, resulting in acceptance of an invalid signature. In mbedtls_lms_verify, the return values of the internal Merkle tree functions create_merkle_leaf_value and create_merkle_internal_value are not checked. These functions return an integer that indicates whether the call succeeded or not. If a failure occurs, the output buffer (Tc_candidate_root_node) may remain uninitialized, and the result of the signature verification is unpredictable. When the software implementation of SHA-256 is used, these functions will not fail. However, with hardware-accelerated hashing, an attacker could use fault injection against the accelerator to bypass verification.

Published: 2025-07-04Modified: 2025-07-17

CVSS 3.xMEDIUM 4.9

CVSS:3.x/CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

References

https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2025-06-3.md

CVE-2025-49601

MEDIUM6.5

In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_import_public_key does not check that the input buffer is at least 4 bytes before reading a 32-bit field, allowing a possible out-of-bounds read on truncated input. Specifically, an out-of-bounds read in mbedtls_lms_import_public_key allows context-dependent attackers to trigger a crash or limited adjacent-memory disclosure by supplying a truncated LMS (Leighton-Micali Signature) public-key buffer under four bytes. An LMS public key starts with a 4-byte type indicator. The function mbedtls_lms_import_public_key reads this type indicator before validating the size of its input.

Published: 2025-07-04Modified: 2025-07-17

CVSS 3.xMEDIUM 6.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

References

https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2025-06-4.md

CVE-2025-52496

HIGH7.8

Mbed TLS before 3.6.4 has a race condition in AESNI detection if certain compiler optimizations occur. An attacker may be able to extract an AES key from a multithreaded program, or perform a GCM forgery.

Published: 2025-07-04Modified: 2025-11-03

CVSS 3.xHIGH 7.8

CVSS:3.x/CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

References

CVE-2025-52497

MEDIUM4.8

Mbed TLS before 3.6.4 has a PEM parsing one-byte heap-based buffer underflow, in mbedtls_pem_read_buffer and two mbedtls_pk_parse functions, via untrusted PEM input.

Published: 2025-07-04Modified: 2025-11-03

CVSS 3.xMEDIUM 4.8

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L

References

Package update mbedtls in branch sisyphus

Closed issues (14)

Уязвимость функции mbedtls_asn1_store_named_data программного обеспечения Mbed TLS, позволяющая нарушителю выполнить произвольный код

Уязвимость функции mbedtls_x509_string_to_names программного обеспечения Mbed TLS, позволяющая нарушителю выполнить произвольный код

Уязвимость функции mbedtls_lms_import_public_key() программного обеспечения Mbed TLS, позволяющая нарушителю вызвать отказ в обслуживании или раскрыть защищаемую информацию

Уязвимость функции mbedtls_lms_verify() программного обеспечения Mbed TLS, позволяющая нарушителю обойти существующие ограничения безопасности

Mbed TLS before 3.6.4 has a NULL pointer dereference because mbedtls_asn1_store_named_data can trigger conflicting data with val.p of NULL but val.len greater than zero.

In Mbed TLS 3.6.1 through 3.6.3 before 3.6.4, a timing discrepancy in block cipher padding removal allows an attacker to recover the plaintext when PKCS#7 padding mode is used.

Mbed TLS before 3.6.4 has a race condition in AESNI detection if certain compiler optimizations occur. An attacker may be able to extract an AES key from a multithreaded program, or perform a GCM forgery.

Mbed TLS before 3.6.4 has a PEM parsing one-byte heap-based buffer underflow, in mbedtls_pem_read_buffer and two mbedtls_pk_parse functions, via untrusted PEM input.