Use-after-free in mbedtls_pkcs7_free() when reusing a PKCS7 context (CVE-2026-50579)
Title |
Use-after-free in mbedtls_pkcs7_free() when reusing a PKCS7 context |
|---|---|
CVE |
CVE-2026-50579 |
Date |
7th of July, 2026 |
Affects |
Mbed TLS 3.3.0 through 3.6.6; Mbed TLS 4.0.0 through 4.1.0 |
Not affected |
Mbed TLS before 3.3.0; Mbed TLS 3.6.7 and later 3.6.x versions; Mbed TLS 4.1.1 and later 4.1.x versions; Mbed TLS 4.2.0 and later versions |
Impact |
Memory corruption and denial of service |
Severity |
HIGH |
Credits |
NVIDIA Project Vanessa |
Vulnerability
mbedtls_pkcs7_free() frees the signer list in an mbedtls_pkcs7 context, but in affected versions it only clears pkcs7->raw.p before returning. Other fields in the context, including signed_data.signers.next, can therefore retain stale pointers to freed memory.
An application is vulnerable if it parses PKCS7 data into an mbedtls_pkcs7 context, calls mbedtls_pkcs7_free() on that context, and later reuses the same context for another PKCS7 parse without first reinitializing it. In such a parse -> free -> parse -> free sequence, specially crafted PKCS7 input can leave stale signer-list pointers in the context and cause a later free operation to walk freed memory.
Applications are not affected if they do not build or enable MBEDTLS_PKCS7_C, if they do not parse PKCS7 data, or if they do not reuse an mbedtls_pkcs7 context after calling mbedtls_pkcs7_free() without reinitializing it.
Impact
A malicious PKCS7 input can trigger a use-after-free or double-free in applications that reuse an mbedtls_pkcs7 context after freeing it. This can lead to memory corruption and denial of service. Depending on the platform, allocator behavior, and surrounding application memory layout, further impact may be possible.
Affected versions
Mbed TLS 3.3.0 through 3.6.6 are affected. Mbed TLS 4.0.0 through 4.1.0 are affected.
Mbed TLS versions before 3.3.0 are not affected because they do not include the affected PKCS7 parser code.
TF-PSA-Crypto is not affected.
Work-around
Applications using an affected version should not reuse an mbedtls_pkcs7 context after calling mbedtls_pkcs7_free() unless the context is reinitialized with mbedtls_pkcs7_init() before the next parse operation.
Applications can also avoid the issue by using a fresh mbedtls_pkcs7 context for each PKCS7 parse/free cycle.
Resolution
Affected users should upgrade to Mbed TLS 3.6.7 or a later 3.6.x version, or to Mbed TLS 4.1.1 or a later 4.1.x version, or to Mbed TLS 4.2.0 or a later version.
Fix commits
We recommend that users upgrade to a release including the fix. However, if you are maintaining a branch with backported bug fixes, here are the most relevant commits. Please note that these commits may not apply cleanly to older versions of the library, and may not provide a complete fix even if they do apply. The TF-PSA-Crypto and Mbed TLS development team does not provide support outside of maintained branches.
Branch |
Mbed TLS 3.6.x |
TF-PSA-Crypto 1.1.x |
TF-PSA-Crypto 1.x (x>1) |
Mbed TLS 4.1.x |
Mbed TLS 4.x (x>1) |
|---|---|---|---|---|---|
Basic fix |
699d4030c2eba488033d2291d52966533c819db0 |
N/A |
N/A |
b1a4b07509cbadbaa963ae896d4d44ddba550f74 |
67e696b430716f95ed714f2c1404681697251438 |
With tests and documentation |
699d4030c2eba488033d2291d52966533c819db0^..12717ec8f4c3c4721365c6dcb588e77f3ef6e223 |
N/A |
N/A |
b1a4b07509cbadbaa963ae896d4d44ddba550f74^..c20cd06cb41453ed29609c3cd9aacf24e54a7083 |
67e696b430716f95ed714f2c1404681697251438^..377aa4eff16cd0aa5e7440a41de59847e3a789a0 |