CVE-2025-47917

HIGH

Mbed TLS < 3.6.4 - Use-After-Free in mbedtls_x509_string_to_names()

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-47917. PoCs published by Byte Reaper, byteReaper77.

AI-analyzed exploit summary This exploit leverages a use-after-free vulnerability in Mbed TLS ≤ 3.6.4 to achieve remote code execution by manipulating heap memory and injecting shellcode. It includes ASLR checks and heap spraying techniques to ensure reliability.

Description

Mbed TLS before 3.6.4 allows a use-after-free in certain situations of applications that are developed in accordance with the documentation. The function mbedtls_x509_string_to_names() takes a head argument that is documented as an output argument. The documentation does not suggest that the function will free that pointer; however, the function does call mbedtls_asn1_free_named_data_list() on that argument, which performs a deep free(). As a result, application code that uses this function (relying only on documented behavior) is likely to still hold pointers to the memory blocks that were freed, resulting in a high risk of use-after-free or double-free. In particular, the two sample programs x509/cert_write and x509/cert_req are affected (use-after-free if the san string contains more than one DN).

Exploits (2)

exploitdb WORKING POC

by Byte Reaper · clocalmultiple

https://www.exploit-db.com/exploits/52427

View Code ZIP pw:eip

This exploit leverages a use-after-free vulnerability in Mbed TLS ≤ 3.6.4 to achieve remote code execution by manipulating heap memory and injecting shellcode. It includes ASLR checks and heap spraying techniques to ensure reliability.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Mbed TLS ≤ 3.6.4

No auth needed

Prerequisites: ASLR disabled · root privileges to run the exploit

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by byteReaper77 · poc

https://github.com/byteReaper77/CVE-2025-47917

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2025-47917, a Use-After-Free (UAF) vulnerability in mbedTLS 3.6.4's name parsing function. The exploit leverages heap spraying and shellcode injection to achieve arbitrary code execution, demonstrated via a reverse shell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: mbedTLS < 3.6.4

No auth needed

Prerequisites: Linux environment · mbedTLS < 3.6.4 installed · ASLR disabled · root privileges for setup

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Core References

Mitigation, Third Party Advisory

https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2025-06-7.md

View Writeup ZIP pw:eip

Vendor Advisory

https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories/

Mailing List

https://lists.debian.org/debian-lts-announce/2025/08/msg00013.html

Mailing List

https://lists.debian.org/debian-lts-announce/2025/08/msg00025.html

Scores

CVSS v3 8.9

EPSS 0.0843

EPSS Percentile 92.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-416

Status published

Products (1)

arm/mbed_tls < 3.6.4

Published Jul 20, 2025

Tracked Since Feb 18, 2026