CVE-2025-52497: 
Mbed TLS vulnerability analysis and mitigation

Mbed TLS before version 3.6.4 contains a PEM parsing vulnerability identified as CVE-2025-52497. The vulnerability manifests as a one-byte heap-based buffer underflow in the mbedtls_pem_read_buffer and two mbedtls_pk_parse functions when processing untrusted PEM input. This security issue was disclosed on July 4, 2025, affecting all versions of Mbed TLS prior to 3.6.4 (NVD, Ubuntu).

The vulnerability is classified as a medium severity issue with a CVSS v3.1 base score of 4.8. The attack vector is network-based (AV:N) with high attack complexity (AC:H), requiring no privileges (PR:N) or user interaction (UI:N). The scope is unchanged (S:U) with low impacts on confidentiality (C:L) and availability (A:L), but no impact on integrity (I:N). The vulnerability is categorized as CWE-193 (Off-by-one Error) (NVD).

The heap-based buffer underflow vulnerability can potentially lead to system crashes and limited information disclosure when processing untrusted PEM input. The vulnerability affects the confidentiality and availability of systems using affected versions of Mbed TLS, though the impact is considered low due to the high attack complexity required (NVD).

The primary mitigation is to upgrade to Mbed TLS version 3.6.4 or later, which contains the fix for this vulnerability. Various Linux distributions, including Ubuntu, have marked this vulnerability for evaluation and are working on providing updated packages (Ubuntu).