CVE-2025-49600

Name of the Vulnerable Software and Affected Versions: MbedTLS versions 3.3.0 through 3.6.3

Description: The issue allows an attacker to bypass LMS signature verification by reusing stale stack data, resulting in the acceptance of an invalid signature. This occurs when unchecked return values in mbedtls lms verify are not properly handled, particularly in scenarios involving hardware hash accelerator faults. The functions create merkle leaf value and create merkle internal value return integers indicating success or failure, but these return values are not checked. If a failure occurs, the output buffer may remain uninitialized, leading to unpredictable signature verification results. This issue is particularly relevant when using hardware-accelerated hashing, as an attacker could exploit fault injection against the accelerator to bypass verification.

Recommendations: For MbedTLS versions 3.3.0 through 3.6.3, update to version 3.6.4 or later to resolve the issue. As a temporary workaround, consider disabling hardware-accelerated hashing in favor of software implementation until a patch is applied. Restrict access to mbedtls lms verify to minimize the risk of exploitation. Avoid using the create merkle leaf value and create merkle internal value functions in scenarios where their return values are not properly checked.