CVE-2025-48965: 
Mbed TLS vulnerability analysis and mitigation

Mbed TLS before version 3.6.4 contains a NULL pointer dereference vulnerability identified as CVE-2025-48965. The vulnerability occurs in the mbedtlsasn1storenameddata function where conflicting data can be triggered with val.p of NULL but val.len greater than zero. This security issue was disclosed on July 20, 2025 (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 4.0 (Medium) with the following vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L. The vulnerability is classified under CWE-696 (Incorrect Behavior Order). The issue specifically affects the ASN.1 parsing functionality in the mbedtlsasn1storenameddata function, where improper handling of NULL pointers can lead to a dereference condition (NVD).

The vulnerability affects the availability of systems using Mbed TLS, potentially leading to application crashes due to NULL pointer dereference. The CVSS scoring indicates that while the vulnerability can be exploited remotely, it requires high attack complexity and only impacts availability, with no effect on confidentiality or integrity (NVD).

Users are advised to upgrade to Mbed TLS version 3.6.4 or later, which contains the fix for this vulnerability. The issue affects multiple versions of various Linux distributions including Ubuntu and Debian, with fixes being rolled out through their respective security updates (Ubuntu, Debian).