JLSEC-2025-230

Mbed TLS before 3.6.4 has a NULL pointer dereference because mbedtls_asn1_store_named_data can trigg...

JLSEC Published: Nov 21, 2025
Modified: Nov 21, 2025
Affected Packages: MbedTLS_jll < 2.28.1010+0
Aliases / Upstream: CVE-2025-48965

Mbed TLS before 3.6.4 has a NULL pointer dereference because mbedtlsasn1storenameddata can trigger conflicting data with val.p of NULL but val.len greater than zero.

References

https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2025-06-6.md
https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories/
https://lists.debian.org/debian-lts-announce/2025/08/msg00013.html