CVE-2025-49601

CVE-2025-49601

Name

CVE-2025-49601

Description

In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_import_public_key does not check that the input buffer is at least 4 bytes before reading a 32-bit field, allowing a possible out-of-bounds read on truncated input. Specifically, an out-of-bounds read in mbedtls_lms_import_public_key allows context-dependent attackers to trigger a crash or limited adjacent-memory disclosure by supplying a truncated LMS (Leighton-Micali Signature) public-key buffer under four bytes. An LMS public key starts with a 4-byte type indicator. The function mbedtls_lms_import_public_key reads this type indicator before validating the size of its input.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
cve@mitre.org	https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2025-06-4.md

Type

URI

cve@mitre.org

https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2025-06-4.md

CPE URI	Source package	Min version	Max version
	mbedtls	>= 3.3.0	< 3.6.4
`cpe:2.3:a:arm:mbed_tls::::::::`	mbed_tls	>= 3.3.0	< 3.6.4

CPE URI

Source package

Min version

Max version

mbedtls

>= 3.3.0

< 3.6.4

cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:*

mbed_tls

>= 3.3.0

< 3.6.4

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
mbedtls	edge-main	3.6.4-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
mbedtls	edge-main	3.6.3.1-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
mbedtls	edge-main	3.6.3-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
mbedtls	edge-main	3.6.2-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
mbedtls	edge-main	3.6.1-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
mbedtls	3.22-main	3.6.4-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
mbedtls	3.22-main	3.6.3.1-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
mbedtls	3.22-main	3.6.3-r0	None	possibly vulnerable
mbedtls	3.22-main	3.6.2-r0	None	possibly vulnerable
mbedtls	3.22-main	3.6.1-r0	None	possibly vulnerable
mbedtls	3.21-main	3.6.4-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
mbedtls	3.21-main	3.6.3-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
mbedtls	3.21-main	3.6.2-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
mbedtls	3.21-main	3.6.1-r0	None	possibly vulnerable
mbedtls	3.20-main	3.6.4-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
mbedtls	3.20-main	3.6.3-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
mbedtls	3.20-main	3.6.2-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
mbedtls	3.20-main	3.6.1-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages