CVE-2025-47917: 
Mbed TLS vulnerability analysis and mitigation

Mbed TLS before version 3.6.4 contains a use-after-free vulnerability that affects applications developed according to the documentation. The vulnerability was discovered and disclosed in July 2025, affecting the mbedtlsx509stringtonames() function implementation (NVD, Debian Tracker).

The vulnerability stems from the mbedtlsx509stringtonames() function, which takes a head argument documented as an output argument. While the documentation doesn't indicate that the function will free the pointer, it calls mbedtlsasn1freenameddata_list() on that argument, performing a deep free operation. The vulnerability has been assigned a CVSS v3.1 base score of 8.9 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H and is classified as CWE-416 (Use After Free) (NVD, Rapid7).

The vulnerability results in application code potentially holding pointers to freed memory blocks, leading to a high risk of use-after-free or double-free conditions. This particularly affects two sample programs: x509/certwrite and x509/certreq, which experience use-after-free issues when the san string contains more than one DN (NVD).

The vulnerability has been fixed in Mbed TLS version 3.6.4. Users are advised to upgrade to this version or later. For Debian systems, fixed packages are available in the trixie and sid releases with version 3.6.4-2 (Debian Tracker).