CVE-2025-49600

NameCVE-2025-49600
DescriptionIn MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_verify may accept invalid signatures if hash computation fails and internal errors go unchecked, enabling LMS (Leighton-Micali Signature) forgery in a fault scenario. Specifically, unchecked return values in mbedtls_lms_verify allow an attacker (who can induce a hardware hash accelerator fault) to bypass LMS signature verification by reusing stale stack data, resulting in acceptance of an invalid signature. In mbedtls_lms_verify, the return values of the internal Merkle tree functions create_merkle_leaf_value and create_merkle_internal_value are not checked. These functions return an integer that indicates whether the call succeeded or not. If a failure occurs, the output buffer (Tc_candidate_root_node) may remain uninitialized, and the result of the signature verification is unpredictable. When the software implementation of SHA-256 is used, these functions will not fail. However, with hardware-accelerated hashing, an attacker could use fault injection against the accelerator to bypass verification.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1108787

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mbedtls (PTS)bullseye2.16.9-0.1fixed
bullseye (security)2.16.9-0.1+deb11u1fixed
bookworm2.28.3-1fixed
trixie, sid3.6.3-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mbedtlssourcebullseye(not affected)
mbedtlssourcebookworm(not affected)
mbedtlssource(unstable)(unfixed)1108787

Notes

[bookworm] - mbedtls <not-affected> (Vulnerable code not present)
[bullseye] - mbedtls <not-affected> (Vulnerable code not present)
https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2025-06-3.md

Search for package or bug name: Reporting problems