Bug 2382187 (CVE-2025-47917)

Summary: CVE-2025-47917 mbedtls: Mbed TLS Use-After-Free Vulnerability
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in mbedtls. The `mbedtls_x509_string_to_names()` function incorrectly documents a head argument as an output, leading to a use-after-free vulnerability when applications follow the provided documentation. This vulnerability allows a network-based attacker to trigger this condition, potentially resulting in a denial of service or information disclosure. This issue occurs due to improper handling of memory after it has been freed.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2382247, 2382250, 2382253, 2382255, 2382246, 2382248, 2382249, 2382251, 2382252, 2382254, 2382256    
Bug Blocks:    

Description OSIDB Bzimport 2025-07-20 19:01:12 UTC 
Mbed TLS before 3.6.4 allows a use-after-free in certain situations of applications that are developed in accordance with the documentation. The function mbedtls_x509_string_to_names() takes a head argument that is documented as an output argument. The documentation does not suggest that the function will free that pointer; however, the function does call mbedtls_asn1_free_named_data_list() on that argument, which performs a deep free(). As a result, application code that uses this function (relying only on documented behavior) is likely to still hold pointers to the memory blocks that were freed, resulting in a high risk of use-after-free or double-free. In particular, the two sample programs x509/cert_write and x509/cert_req are affected (use-after-free if the san string contains more than one DN).