Use After Free Affecting mbedtls package, versions <2.16.4-1ubuntu2+esm1


Severity

Recommended
medium

Based on Ubuntu security rating.

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
1.99% (79th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-UBUNTU2004-MBEDTLS-10877584
  • published9 Oct 2025
  • disclosed20 Jul 2025

Introduced: 20 Jul 2025

CVE-2025-47917  (opens in a new tab)
CWE-416  (opens in a new tab)

How to fix?

Upgrade Ubuntu:20.04 mbedtls to version 2.16.4-1ubuntu2+esm1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream mbedtls package and not the mbedtls package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

Mbed TLS before 3.6.4 allows a use-after-free in certain situations of applications that are developed in accordance with the documentation. The function mbedtls_x509_string_to_names() takes a head argument that is documented as an output argument. The documentation does not suggest that the function will free that pointer; however, the function does call mbedtls_asn1_free_named_data_list() on that argument, which performs a deep free(). As a result, application code that uses this function (relying only on documented behavior) is likely to still hold pointers to the memory blocks that were freed, resulting in a high risk of use-after-free or double-free. In particular, the two sample programs x509/cert_write and x509/cert_req are affected (use-after-free if the san string contains more than one DN).

CVSS Base Scores

version 3.1