MbedTLS LMS Signature Forgery Vulnerability via Fault Injection

Vulnerability

A vulnerability in MbedTLS versions 3.3.0 prior to 3.6.4 allows for Leighton-Micali Signature (LMS) forgery under certain fault conditions. The issue arises in the `mbedtls_lms_verify` function, where unchecked return values from internal Merkle tree functions can lead to the acceptance of invalid signatures. An attacker capable of inducing a hardware hash accelerator fault could exploit this flaw by reusing uninitialized stack data, bypassing signature verification. This vulnerability is particularly concerning when hardware-accelerated SHA-256 hashing is used, as the fault injection could be exploited to manipulate the verification process.

Impact

Exploitation of this vulnerability could lead to unauthorized acceptance of forged LMS signatures, undermining the integrity of the signature verification process.

Added: Jul 4, 2025, 4:19 PM

Updated: Jul 4, 2025, 4:19 PM

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

2.5

exploitability

6.2

remediation

0.0

relevance

0.2

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

2.5

exploitability

6.2

remediation

0.0

relevance

0.2

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

MbedTLS LMS Signature Forgery Vulnerability via Fault Injection

Vulnerability

Impact

Affected Products

MbedTLS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating