The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-48965

CVE-2025-48965: Arm Mbed TLS Use-After-Free Vulnerability

CVE-2025-48965 is a use-after-free vulnerability in Arm Mbed TLS causing NULL pointer dereference. This critical flaw affects versions before 3.6.4. This post covers technical details, affected versions, and mitigations.

Updated: January 22, 2026

CVE-2025-48965 Overview

CVE-2025-48965 is a NULL pointer dereference vulnerability in Mbed TLS before version 3.6.4. The flaw exists in the mbedtls_asn1_store_named_data function, which can trigger a conflicting state where val.p is NULL while val.len contains a value greater than zero. This inconsistent state leads to a NULL pointer dereference when the application attempts to access the data, resulting in a denial of service condition.

Critical Impact

Network-accessible NULL pointer dereference vulnerability that can cause application crashes and denial of service in systems using vulnerable Mbed TLS versions for cryptographic operations.

Affected Products

  • Arm Mbed TLS versions prior to 3.6.4
  • Applications and embedded systems utilizing vulnerable Mbed TLS library versions
  • IoT devices and network services with Mbed TLS ASN.1 parsing functionality

Discovery Timeline

  • 2025-07-20 - CVE-2025-48965 published to NVD
  • 2025-11-03 - Last updated in NVD database

Technical Details for CVE-2025-48965

Vulnerability Analysis

This vulnerability is a NULL Pointer Dereference (CWE-476) combined with an Incorrect Behavior Order issue (CWE-696). The flaw resides in the ASN.1 data handling routines of the Mbed TLS cryptographic library. When mbedtls_asn1_store_named_data processes certain inputs, it can create an inconsistent internal state where the data pointer (val.p) is NULL while the length field (val.len) indicates data is present. Subsequent operations that trust the length field and attempt to dereference the NULL pointer will cause the application to crash.

The vulnerability is exploitable remotely over the network without requiring authentication or user interaction. An attacker can send specially crafted ASN.1 data to trigger this condition, causing a denial of service. While the vulnerability does not directly enable code execution or data theft, its ability to crash cryptographic services makes it significant for systems where availability is critical.

Root Cause

The root cause stems from improper state management within the mbedtls_asn1_store_named_data function. The function fails to ensure consistency between the val.p pointer and val.len length field in the named data structure. When certain edge cases or malformed inputs are processed, the function may set the length to a non-zero value while leaving the pointer as NULL, or vice versa. This violates the expected invariant that a non-zero length implies a valid pointer, creating a dangerous inconsistent state that leads to crashes when the data is later accessed.

Attack Vector

The vulnerability is network-accessible, allowing remote attackers to exploit it without any privileges or user interaction. Attack scenarios include:

  1. TLS Handshake Attacks: Sending malformed certificates or extensions containing crafted ASN.1 structures during TLS negotiation
  2. Certificate Parsing: Submitting specially constructed X.509 certificates with malicious ASN.1 data to certificate validation routines
  3. CRL/OCSP Processing: Providing crafted Certificate Revocation Lists or OCSP responses that trigger the vulnerable code path

The vulnerability mechanism involves crafting ASN.1 data that causes mbedtls_asn1_store_named_data to enter the inconsistent state. When the application subsequently processes this stored data, it trusts the non-zero length value and attempts to dereference the NULL pointer, causing an immediate crash. For detailed technical information, refer to the GitHub MbedTLS Security Advisory.

Detection Methods for CVE-2025-48965

Indicators of Compromise

  • Unexpected crashes or segmentation faults in services using Mbed TLS for TLS/SSL operations
  • Application logs showing NULL pointer access violations in ASN.1 processing code paths
  • Repeated service restarts coinciding with incoming TLS connections or certificate operations
  • Core dumps indicating crashes within mbedtls_asn1_store_named_data or related ASN.1 functions

Detection Strategies

  • Monitor system logs and application crash reports for segmentation faults in Mbed TLS library components
  • Implement application-level health checks to detect unexpected restarts of TLS-dependent services
  • Use static analysis tools to identify Mbed TLS library versions in deployed applications and compare against the vulnerable version range
  • Deploy network intrusion detection systems with signatures for malformed ASN.1 structures in TLS traffic

Monitoring Recommendations

  • Enable crash reporting and core dump collection for services utilizing Mbed TLS to capture forensic data
  • Configure application performance monitoring to alert on unusual restart patterns or availability degradation
  • Implement log aggregation to correlate TLS-related crashes across distributed systems
  • Conduct regular software inventory audits to track Mbed TLS library versions across the environment

How to Mitigate CVE-2025-48965

Immediate Actions Required

  • Upgrade Mbed TLS to version 3.6.4 or later, which contains the fix for this vulnerability
  • Audit all applications and embedded systems to identify those using vulnerable Mbed TLS versions
  • Prioritize patching internet-facing services and critical infrastructure components
  • Review the Mbed TLS Security Advisories for additional guidance

Patch Information

The vulnerability has been addressed in Mbed TLS version 3.6.4. Organizations should obtain the patched version from the official Mbed TLS repository and follow standard upgrade procedures. For Debian-based systems, refer to the Debian LTS Security Announcement for distribution-specific patch information.

Vendor security resources:

  • GitHub MbedTLS Security Advisory
  • Mbed TLS Security Advisories Documentation

Workarounds

  • Implement network-level filtering to restrict access to TLS services from untrusted sources while awaiting patching
  • Deploy a web application firewall (WAF) or TLS proxy capable of validating certificate structures before forwarding to backend services
  • Consider isolating vulnerable services in network segments with restricted access to limit exposure
  • Enable process supervision with automatic restart capabilities to minimize service downtime during potential exploitation attempts
bash
# Configuration example
# Verify current Mbed TLS version in your system
dpkg -l | grep mbedtls

# For Debian/Ubuntu systems, update to patched version
sudo apt update && sudo apt upgrade libmbedtls-dev libmbedtls14

# Verify the installed version is 3.6.4 or later
pkg-config --modversion mbedtls

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeUse After Free
  • Vendor/TechArm Mbed Tls
  • SeverityHIGH
  • CVSS Score7.5
  • EPSS Probability0.03%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-696
  • CWE-476
  • Technical References
  • Debian LTS Security Announcement
  • Vendor Resources
  • GitHub MbedTLS Security Advisory
  • Mbed TLS Security Advisories
  • Related CVEs
  • CVE-2025-47917: Arm Mbed TLS Use-After-Free Vulnerability
  • CVE-2021-44732: Arm Mbed TLS Use-After-Free Vulnerability
  • CVE-2025-52497: Arm Mbed TLS Buffer Overflow Vulnerability
  • CVE-2025-52496: Arm Mbed TLS Race Condition Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English