Mbed TLS 3.6.4

Description

This release includes fixes for security issues.

Mbed TLS 3.6 is a long-term support (LTS) branch. It will be supported with bug-fixes and security fixes until at least March 2027.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Security Advisories

For full details, please see the following links:

Release Notes

Features

Add the function mbedtls_ssl_export_keying_material() which allows the client and server to extract additional shared symmetric keys from an SSL session, according to the TLS-Exporter specification in RFC 8446 and 5705. This requires MBEDTLS_SSL_KEYING_MATERIAL_EXPORT to be defined in mbedtls_config.h.

Security

Fix a buffer overread in mbedtls_lms_import_public_key() when the input is less than 3 bytes. Reported by Linh Le and Ngan Nguyen from Calif. CVE-2025-49601
Fix a vulnerability in LMS verification through which an adversary could get an invalid signature accepted if they could cause a hash accelerator to fail. Found and reported by Linh Le and Ngan Nguyen from Calif. CVE-2025-49600
On x86/amd64 platforms, with some compilers, when the library is compiled with support for both AESNI and software AES and AESNI is available in hardware, an adversary with fine control over which threads make progress in a multithreaded program could force software AES to be used for some time when the program starts. This could allow the adversary to conduct timing attacks and potentially recover the key. In particular, this attacker model may be possible against an SGX enclave. The same vulnerability affects GCM acceleration, which could allow a similarly powerful adversary to craft GCM forgeries. CVE-2025-52496
Fix possible use-after-free or double-free in code calling mbedtls_x509_string_to_names(). This was caused by the function calling mbedtls_asn1_free_named_data_list() on its head argument, while the documentation did no suggest it did, making it likely for callers relying on the documented behaviour to still hold pointers to memory blocks after they were free()d, resulting in high risk of use-after-free or double-free, with consequences ranging up to arbitrary code execution. In particular, the two sample programs x509/cert_write and x509/cert_req were affected (use-after-free if the san string contains more than one DN). Code that does not call mbedtls_string_to_names() directly is not affected. Found by Linh Le and Ngan Nguyen from Calif. CVE-2025-47917
Fix a bug in mbedtls_asn1_store_named_data() where it would sometimes leave an item in the output list in an inconsistent state with val.p == NULL but val.len > 0. This impacts applications that call this function directly, or indirectly via mbedtls_x509_string_to_names() or one of the mbedtls_x509write_{crt,csr}set{subject,issuer}_name() functions. The inconsistent state of the output could then cause a NULL dereference either inside the same call to mbedtls_x509_string_to_names(), or in subsequent users of the output structure, such as mbedtls_x509_write_names(). This only affects applications that create (as opposed to consume) X.509 certificates, CSRs or CRLs, or that call mbedtls_asn1_store_named_data() directly. Found by Linh Le and Ngan Nguyen from Calif. CVE-2025-48965
Fix an integer underflow that could occur when parsing malformed PEM keys, which could be used by an attacker capable of feeding encrypted PEM keys to a user. This could cause a crash or information disclosure. Found and reported by Linh Le and Ngan Nguyen from Calif. CVE-2025-52497
Fix a timing side channel in the implementation of PKCS#7 padding which would allow an attacker who can request decryption of arbitrary ciphertexts to recover the plaintext through a timing oracle attack. Reported by Ka Lok Wu from Stony Brook University and Doria Tang from The Chinese University of Hong Kong. CVE-2025-49087

Bugfix

Fix failures of PSA multipart or interruptible operations when the library or the application is built with a compiler where "union foo x = {0}" does not initialize non-default members of the union, such as GCC 15 and some versions of Clang 18. This affected MAC multipart operations, MAC-based key derivation operations, interruptible signature, interruptible verification, and potentially other operations when using third-party drivers. This also affected one-shot MAC operations using the built-in implementation. Fixes #9814.
On entry to PSA driver entry points that set up a multipart operation ("xxx_setup"), the operation object is supposed to be all-bits-zero. This was sometimes not the case when an operation object is reused, or with compilers where "union foo x = {0}" does not initialize non-default members of the union. The PSA core now ensures that this guarantee is met in all cases. Fixes #9975.
Resolved build issue with C++ projects using Mbed TLS 3.6 when compiling with the MSVC toolset v142 and earlier. Fixes mbedtls issue #7087.
Silence spurious -Wunterminated-string-initialization warnings introduced by GCC 15. Fixes #9944.
Fix a sloppy check in LMS public key import, which could lead to accepting keys with a different LMS or LM-OTS types on some platforms. Specifically, this could happen on platforms where enum types are smaller than 32 bits and compiler optimization is enabled. Found and reported by Linh Le and Ngan Nguyen from Calif.
Fix a race condition on x86/amd64 platforms in AESNI support detection that could lead to using software AES in some threads at the very beginning of a multithreaded program. Reported by Solar Designer. Fixes #9840.
Fix mbedtls_base64_decode() on inputs that did not have the correct number of trailing equal signs, or had 4*k+1 digits. They were accepted as long as they had at most two trailing equal signs. They are now rejected. Furthermore, before, on inputs with too few equal signs, the function reported the correct size in *olen when it returned MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL, but truncated the output to the last multiple of 3 bytes.
When calling mbedtls_asn1_write_raw_buffer() with NULL, 0 as the last two arguments, undefined behaviour would be triggered, in the form of a call to memcpy(..., NULL, 0). This was harmless in practice, but could trigger complains from sanitizers or static analyzers.

Changes

The function mbedtls_x509_string_to_names() now requires its head argument to point to NULL on entry. This makes it likely that existing risky uses of this function (see the entry in the Security section) will be detected and fixed.

Note

:grey_exclamation: mbedtls-3.6.4.tar.bz2 and mbedtls-3.6.4-easy-make-lib.tar.bz2 are our official release files. source.tar.gz and source.zip are automatically generated snapshot's that github is generating. They do not include external dependencies, and can't be configured. Between the mbedtls-3.6.4* archives, pick whichever is convenient for you, noting that mbedtls-3.6.4.tar.bz2 has more requirements than intended to run make lib.

Checksum

The SHA-256 hashes for the archives are:

40d83e4040c3e548a61f6ac19b697b0380149abafd6923196a70b6067b543261  mbedtls-3.6.4-easy-make-lib.tar.bz2
6a7ed66b4aca38836f0eff8d8fba72992bf0c7326337608ef01de469fd8368bd  mbedtls-3.6.4-easy-make-lib.tar.xz
ec35b18a6c593cf98c3e30db8b98ff93e8940a8c4e690e66b41dfc011d678110  mbedtls-3.6.4.tar.bz2

Archive history:

2025-07-31: Replaced mbedtls-3.6.4.tar.bz2 with a new archive that has exactly the same file content, but file timestamps have been updated to fix https://github.com/Mbed-TLS/mbedtls/issues/10332. This archive was accidentally uploaded with xz compression, despite the .bz2 file name.
2025-08-01: Restored the original mbedtls-3.6.4.tar.bz2 and published the fix for #10332 with a new file name mbedtls-3.6.4-easy-make-lib.tar.bz2, and mbedtls-3.6.4-easy-make-lib.tar.xz for the xz version).

Release Notes

Features

Add the function mbedtls_ssl_export_keying_material() which allows the client and server to extract additional shared symmetric keys from an SSL session, according to the TLS-Exporter specification in RFC 8446 and 5705. This requires MBEDTLS_SSL_KEYING_MATERIAL_EXPORT to be defined in mbedtls_config.h.

Security

Fix a buffer overread in mbedtls_lms_import_public_key() when the input is less than 3 bytes. Reported by Linh Le and Ngan Nguyen from Calif. CVE-2025-49601

Fix a vulnerability in LMS verification through which an adversary could get an invalid signature accepted if they could cause a hash accelerator to fail. Found and reported by Linh Le and Ngan Nguyen from Calif. CVE-2025-49600

On x86/amd64 platforms, with some compilers, when the library is compiled with support for both AESNI and software AES and AESNI is available in hardware, an adversary with fine control over which threads make progress in a multithreaded program could force software AES to be used for some time when the program starts. This could allow the adversary to conduct timing attacks and potentially recover the key. In particular, this attacker model may be possible against an SGX enclave. The same vulnerability affects GCM acceleration, which could allow a similarly powerful adversary to craft GCM forgeries. CVE-2025-52496

Fix possible use-after-free or double-free in code calling mbedtls_x509_string_to_names(). This was caused by the function calling mbedtls_asn1_free_named_data_list() on its head argument, while the documentation did no suggest it did, making it likely for callers relying on the documented behaviour to still hold pointers to memory blocks after they were free()d, resulting in high risk of use-after-free or double-free, with consequences ranging up to arbitrary code execution. In particular, the two sample programs x509/cert_write and x509/cert_req were affected (use-after-free if the san string contains more than one DN). Code that does not call mbedtls_string_to_names() directly is not affected. Found by Linh Le and Ngan Nguyen from Calif. CVE-2025-47917

Fix a bug in mbedtls_asn1_store_named_data() where it would sometimes leave an item in the output list in an inconsistent state with val.p == NULL but val.len > 0. This impacts applications that call this function directly, or indirectly via mbedtls_x509_string_to_names() or one of the mbedtls_x509write_{crt,csr}set{subject,issuer}_name() functions. The inconsistent state of the output could then cause a NULL dereference either inside the same call to mbedtls_x509_string_to_names(), or in subsequent users of the output structure, such as mbedtls_x509_write_names(). This only affects applications that create (as opposed to consume) X.509 certificates, CSRs or CRLs, or that call mbedtls_asn1_store_named_data() directly. Found by Linh Le and Ngan Nguyen from Calif. CVE-2025-48965

Fix an integer underflow that could occur when parsing malformed PEM keys, which could be used by an attacker capable of feeding encrypted PEM keys to a user. This could cause a crash or information disclosure. Found and reported by Linh Le and Ngan Nguyen from Calif. CVE-2025-52497

Fix a timing side channel in the implementation of PKCS#7 padding which would allow an attacker who can request decryption of arbitrary ciphertexts to recover the plaintext through a timing oracle attack. Reported by Ka Lok Wu from Stony Brook University and Doria Tang from The Chinese University of Hong Kong. CVE-2025-49087

Bugfix

Fix failures of PSA multipart or interruptible operations when the library or the application is built with a compiler where "union foo x = {0}" does not initialize non-default members of the union, such as GCC 15 and some versions of Clang 18. This affected MAC multipart operations, MAC-based key derivation operations, interruptible signature, interruptible verification, and potentially other operations when using third-party drivers. This also affected one-shot MAC operations using the built-in implementation. Fixes #9814.

On entry to PSA driver entry points that set up a multipart operation ("xxx_setup"), the operation object is supposed to be all-bits-zero. This was sometimes not the case when an operation object is reused, or with compilers where "union foo x = {0}" does not initialize non-default members of the union. The PSA core now ensures that this guarantee is met in all cases. Fixes #9975.

Resolved build issue with C++ projects using Mbed TLS 3.6 when compiling with the MSVC toolset v142 and earlier. Fixes mbedtls issue #7087.

Silence spurious -Wunterminated-string-initialization warnings introduced by GCC 15. Fixes #9944.

Fix a sloppy check in LMS public key import, which could lead to accepting keys with a different LMS or LM-OTS types on some platforms. Specifically, this could happen on platforms where enum types are smaller than 32 bits and compiler optimization is enabled. Found and reported by Linh Le and Ngan Nguyen from Calif.

Fix a race condition on x86/amd64 platforms in AESNI support detection that could lead to using software AES in some threads at the very beginning of a multithreaded program. Reported by Solar Designer. Fixes #9840.

Fix mbedtls_base64_decode() on inputs that did not have the correct number of trailing equal signs, or had 4*k+1 digits. They were accepted as long as they had at most two trailing equal signs. They are now rejected. Furthermore, before, on inputs with too few equal signs, the function reported the correct size in *olen when it returned MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL, but truncated the output to the last multiple of 3 bytes.

When calling mbedtls_asn1_write_raw_buffer() with NULL, 0 as the last two arguments, undefined behaviour would be triggered, in the form of a call to memcpy(..., NULL, 0). This was harmless in practice, but could trigger complains from sanitizers or static analyzers.

Changes

The function mbedtls_x509_string_to_names() now requires its head argument to point to NULL on entry. This makes it likely that existing risky uses of this function (see the entry in the Security section) will be detected and fixed.

Note

:grey_exclamation: mbedtls-3.6.4.tar.bz2 and mbedtls-3.6.4-easy-make-lib.tar.bz2 are our official release files. source.tar.gz and source.zip are automatically generated snapshot's that github is generating. They do not include external dependencies, and can't be configured. Between the mbedtls-3.6.4* archives, pick whichever is convenient for you, noting that mbedtls-3.6.4.tar.bz2 has more requirements than intended to run make lib.

Checksum

The SHA-256 hashes for the archives are:

40d83e4040c3e548a61f6ac19b697b0380149abafd6923196a70b6067b543261 mbedtls-3.6.4-easy-make-lib.tar.bz2 6a7ed66b4aca38836f0eff8d8fba72992bf0c7326337608ef01de469fd8368bd mbedtls-3.6.4-easy-make-lib.tar.xz ec35b18a6c593cf98c3e30db8b98ff93e8940a8c4e690e66b41dfc011d678110 mbedtls-3.6.4.tar.bz2

Archive history:

2025-07-31: Replaced mbedtls-3.6.4.tar.bz2 with a new archive that has exactly the same file content, but file timestamps have been updated to fix https://github.com/Mbed-TLS/mbedtls/issues/10332. This archive was accidentally uploaded with xz compression, despite the .bz2 file name.

2025-08-01: Restored the original mbedtls-3.6.4.tar.bz2 and published the fix for #10332 with a new file name mbedtls-3.6.4-easy-make-lib.tar.bz2, and mbedtls-3.6.4-easy-make-lib.tar.xz for the xz version).

mbedtls

Description

Who should update

Security Advisories

Release Notes

Note

Checksum

Related Projects

mapbox-navigation-android

ToastFish

barcodelib

haze

Mbed TLS 3.6.4

Description

Who should update

Security Advisories

Release Notes

Note

Checksum

Related Projects

mapbox-navigation-android

ToastFish

barcodelib

haze