Alpine: multiple mbedtls packages: security update to 3.6.5-r0

medium Tenable Cloud Security Plugin ID 435641

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Mbed TLS before 3.6.5 allows a local timing attack against certain RSA operations, and direct calls to
mbedtls_mpi_mod_inv or mbedtls_mpi_gcd. (CVE-2025-54764)

- Mbed TLS through 3.6.4 has an Observable Timing Discrepancy. (CVE-2025-59438)

See Also

https://security.alpinelinux.org/vuln/CVE-2025-54764

https://security.alpinelinux.org/vuln/CVE-2025-59438

Plugin Details

Severity: Medium

ID: 435641

Version: Revision 1.9

Type: Local

Published: 10/16/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.19

CVSS v3

Risk Factor: Medium

Base Score: 6.2

Temporal Score: 5.6

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2025-54764

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Reference Information

CVE: CVE-2025-54764, CVE-2025-59438