What is CVE-2025-49600?

CVE-2025-49600 is a medium-severity vulnerability in Mbed Mbedtls, classified under Missing Cryptographic Step. CVSS score: 4.9/10. Published 2025-07-04.

How severe is CVE-2025-49600?

Medium severity. CVSS v3 base score is 4.9 out of 10.

Vulnerability in Mbed Mbedtls

CVE-2025-49600

In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_verify may accept invalid signatures if hash computation fails and internal errors go unchecked, enabling LMS (Leighton-Micali Signature) forgery in a fault scenario. Specifically, unchecked retur…

EPSS: 0.000 (14.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 4.9 (Medium). Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N.

Affected products

Mbed Mbedtls — versions 3.3.0
Trustedfirmware Mbed_tls

Weakness classification (CWE)

CWE-325 — Missing Cryptographic Step

References

cve@mitre.org (Third Party Advisory)

Frequently asked questions

What is CVE-2025-49600?: CVE-2025-49600 is a medium-severity vulnerability in Mbed Mbedtls, classified under Missing Cryptographic Step. CVSS score: 4.9/10. Published 2025-07-04.
How severe is CVE-2025-49600?: Medium severity. CVSS v3 base score is 4.9 out of 10.