Use-after-free in mbedtls_pkcs7_free() when reusing a PKCS7 context (CVE-2026-50579)

Title

Use-after-free in mbedtls_pkcs7_free() when reusing a PKCS7 context

CVE

CVE-2026-50579

Date

7th of July, 2026

Affects

Mbed TLS 3.3.0 through 3.6.6; Mbed TLS 4.0.0 through 4.1.0

Not affected

Mbed TLS before 3.3.0; Mbed TLS 3.6.7 and later 3.6.x versions; Mbed TLS 4.1.1 and later 4.1.x versions; Mbed TLS 4.2.0 and later versions

Impact

Memory corruption and denial of service

Severity

HIGH

Credits

NVIDIA Project Vanessa

Vulnerability

mbedtls_pkcs7_free() frees the signer list in an mbedtls_pkcs7 context, but in affected versions it only clears pkcs7->raw.p before returning. Other fields in the context, including signed_data.signers.next, can therefore retain stale pointers to freed memory.

An application is vulnerable if it parses PKCS7 data into an mbedtls_pkcs7 context, calls mbedtls_pkcs7_free() on that context, and later reuses the same context for another PKCS7 parse without first reinitializing it. In such a parse -> free -> parse -> free sequence, specially crafted PKCS7 input can leave stale signer-list pointers in the context and cause a later free operation to walk freed memory.

Applications are not affected if they do not build or enable MBEDTLS_PKCS7_C, if they do not parse PKCS7 data, or if they do not reuse an mbedtls_pkcs7 context after calling mbedtls_pkcs7_free() without reinitializing it.

Impact

A malicious PKCS7 input can trigger a use-after-free or double-free in applications that reuse an mbedtls_pkcs7 context after freeing it. This can lead to memory corruption and denial of service. Depending on the platform, allocator behavior, and surrounding application memory layout, further impact may be possible.

Affected versions

Mbed TLS 3.3.0 through 3.6.6 are affected. Mbed TLS 4.0.0 through 4.1.0 are affected.

Mbed TLS versions before 3.3.0 are not affected because they do not include the affected PKCS7 parser code.

TF-PSA-Crypto is not affected.

Work-around

Applications using an affected version should not reuse an mbedtls_pkcs7 context after calling mbedtls_pkcs7_free() unless the context is reinitialized with mbedtls_pkcs7_init() before the next parse operation.

Applications can also avoid the issue by using a fresh mbedtls_pkcs7 context for each PKCS7 parse/free cycle.

Resolution

Affected users should upgrade to Mbed TLS 3.6.7 or a later 3.6.x version, or to Mbed TLS 4.1.1 or a later 4.1.x version, or to Mbed TLS 4.2.0 or a later version.

Fix commits

We recommend that users upgrade to a release including the fix. However, if you are maintaining a branch with backported bug fixes, here are the most relevant commits. Please note that these commits may not apply cleanly to older versions of the library, and may not provide a complete fix even if they do apply. The TF-PSA-Crypto and Mbed TLS development team does not provide support outside of maintained branches.

Branch

Mbed TLS 3.6.x

TF-PSA-Crypto 1.1.x

TF-PSA-Crypto 1.x (x>1)

Mbed TLS 4.1.x

Mbed TLS 4.x (x>1)

Basic fix

699d4030c2eba488033d2291d52966533c819db0

N/A

N/A

b1a4b07509cbadbaa963ae896d4d44ddba550f74

67e696b430716f95ed714f2c1404681697251438

With tests and documentation

699d4030c2eba488033d2291d52966533c819db0^..12717ec8f4c3c4721365c6dcb588e77f3ef6e223

N/A

N/A

b1a4b07509cbadbaa963ae896d4d44ddba550f74^..c20cd06cb41453ed29609c3cd9aacf24e54a7083

67e696b430716f95ed714f2c1404681697251438^..377aa4eff16cd0aa5e7440a41de59847e3a789a0