CVE-2025-47917 is a use-after-free vulnerability identified in the Mbed TLS cryptographic library prior to version 3.6.4. The flaw exists in the function mbedtls_x509_string_to_names(), which is designed to parse X.509 certificate strings into internal data structures. The function takes a pointer argument 'head' intended as an output parameter. However, contrary to the documentation, the function internally calls mbedtls_asn1_free_named_data_list() on this pointer, which performs a deep free of the memory it points to. As a result, application code that retains references to this pointer after the function call ends up with dangling pointers. This discrepancy between documented behavior and actual implementation leads to use-after-free or double-free conditions when the application attempts to access or free the memory again. The vulnerability is particularly triggered when the Subject Alternative Name (SAN) string contains multiple Distinguished Names (DNs), as demonstrated in the sample programs x509/cert_write and x509/cert_req. Exploiting this vulnerability could allow attackers to cause memory corruption, leading to denial of service or potentially arbitrary code execution. The CVSS v3.1 base score is 8.9, reflecting a network attack vector with high complexity, no privileges required, no user interaction, and a scope change. No known exploits are currently in the wild, but the vulnerability poses a significant risk due to its impact on confidentiality, integrity, and availability of affected systems.

For European organizations, the impact of CVE-2025-47917 can be substantial, especially for those relying on Mbed TLS in embedded systems, IoT devices, or network appliances that handle X.509 certificates for authentication and encryption. Successful exploitation could lead to memory corruption, causing application crashes or enabling attackers to execute arbitrary code remotely. This compromises the confidentiality and integrity of sensitive data and disrupts service availability. Critical infrastructure sectors such as telecommunications, manufacturing, automotive, and healthcare, which often deploy embedded devices using Mbed TLS, are particularly vulnerable. The vulnerability's network attack vector means attackers can exploit it remotely without authentication, increasing the risk of widespread exploitation. Additionally, the complexity of the attack and the need for specific certificate conditions may limit immediate exploitation but do not eliminate the threat. Organizations may face regulatory and compliance repercussions if the vulnerability leads to data breaches or service outages.

The primary mitigation is to upgrade all affected Mbed TLS instances to version 3.6.4 or later, where the use-after-free issue has been corrected. Organizations should audit their codebases for usage of the mbedtls_x509_string_to_names() function, especially in contexts handling multiple Distinguished Names in SAN strings, to ensure no unsafe pointer references persist after function calls. Developers should avoid relying solely on documentation and verify actual function behaviors through code review and testing. Implementing memory safety checks and employing tools such as AddressSanitizer during development can help detect use-after-free conditions. For embedded and IoT devices where immediate upgrades are challenging, applying runtime protections like Control Flow Integrity (CFI) and deploying network-level intrusion detection systems to monitor anomalous TLS certificate processing may reduce risk. Additionally, organizations should monitor vendor advisories for patches and exploit reports and incorporate vulnerability scanning into their security operations.