CVE-2025-49600: 
Mbed TLS vulnerability analysis and mitigation

In MbedTLS 3.3.0 before 3.6.4, a vulnerability was discovered in the mbedtlslmsverify function that could allow acceptance of invalid signatures when hash computation fails and internal errors go unchecked. This vulnerability enables Leighton-Micali Signature (LMS) forgery in a fault scenario (MITRE, NVD).

The vulnerability stems from unchecked return values in mbedtlslmsverify, specifically in the internal Merkle tree functions createmerkleleafvalue and createmerkleinternalvalue. These functions return an integer indicating success or failure, but when failures occur, the output buffer (Tccandidateroot_node) may remain uninitialized, leading to unpredictable signature verification results. The vulnerability has been assigned a CVSS v3.1 base score of 4.9 (Medium) with the vector string CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N (NVD).

When exploited, this vulnerability could allow an attacker to bypass LMS signature verification by reusing stale stack data, resulting in the acceptance of invalid signatures. While the software implementation of SHA-256 is not affected, systems using hardware-accelerated hashing are vulnerable to this attack (NVD).

The vulnerability has been fixed in MbedTLS version 3.6.4. Users are advised to upgrade to this version or later to address the security issue (NVD).