CVE-2025-66442

medium

Description

In Mbed TLS through 4.0.0, there is a compiler-induced timing side channel (in RSA and CBC/ECB decryption) that only occurs with LLVM's select-optimize feature. TF-PSA-Crypto through 1.0.0 is also affected.

References

https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-compiler-induced-constant-time-violations/

https://mbed-tls.readthedocs.io/en/latest/security-advisories/

https://github.com/Mbed-TLS/mbedtls/releases

https://github.com/Mbed-TLS/TF-PSA-Crypto/releases

Details

Source: Mitre, NVD

Published: 2026-04-01

Updated: 2026-04-03

Risk Information

CVSS v2

Base Score: 4

Vector: CVSS2#AV:L/AC:H/Au:N/C:C/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 5.1

Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N