CVE-2025-48965

Step 1: Malicious Input Creation: An attacker crafts a malicious ASN.1 structure designed to exploit the vulnerability. This structure will contain named data that triggers the flawed logic in mbedtls_asn1_store_named_data.

Step 2: Input Delivery: The crafted ASN.1 structure is delivered to the vulnerable application. This could be through various channels, such as a network connection, a file upload, or a crafted message.

Step 3: ASN.1 Parsing: The vulnerable application parses the malicious ASN.1 structure using Mbed TLS.

Step 4: Vulnerability Trigger: During the parsing process, the mbedtls_asn1_store_named_data function is called with the crafted data. The function encounters the conflicting data (NULL pointer, non-zero length).

Step 5: NULL Pointer Dereference: The function attempts to access memory using the NULL pointer, leading to a crash and denial of service.

The vulnerability stems from a flaw in the mbedtls_asn1_store_named_data function within Mbed TLS. The function incorrectly handles ASN.1 data structures, specifically when dealing with named data. The core issue is a potential conflict where val.p (a pointer) can be NULL, while val.len (length) is greater than zero. This inconsistency leads to a NULL pointer dereference when the code attempts to access memory using the NULL pointer, resulting in a crash. The root cause is a lack of proper validation of the input data, allowing for the creation of malformed ASN.1 structures that trigger the vulnerability. Specifically, the function fails to adequately check if the pointer val.p is valid before attempting to read from the memory location it points to. This allows an attacker to craft a malicious ASN.1 structure that, when processed, will cause the program to attempt to read from address 0, resulting in a crash.