CVE-2025-54764Observable Timing Discrepancy in ARM Mbed TLS

CWE-208Observable Timing Discrepancy6 documents6 sources
Severity
6.2MEDIUMNVD
EPSS
0.0%
top 94.69%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mbed MbedtlsARM Mbed TLS
Timeline
PublishedOct 20
Latest updateOct 21

Description

Mbed TLS before 3.6.5 allows a local timing attack against certain RSA operations, and direct calls to mbedtls_mpi_mod_inv or mbedtls_mpi_gcd.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.5 | Impact: 3.6

Affected Packages2 packages

NVDarm/mbed_tls< 3.6.5
Debianmbed/mbedtls< 3.6.5-0.1~deb13u1+1

🔴Vulnerability Details

3
GHSA
GHSA-6237-9hpw-gcm6: Mbed TLS before 32025-10-21
OSV
CVE-2025-54764: Mbed TLS before 32025-10-20
CVEList
CVE-2025-54764: Mbed TLS before 32025-10-20

📋Vendor Advisories

1
Debian
CVE-2025-54764: mbedtls - Mbed TLS before 3.6.5 allows a local timing attack against certain RSA operation...2025

💬Community

1
Bugzilla
CVE-2025-54764 micropython: Mbedtls timing attacks in RSA operations [fedora-all]2025-10-20
CVE-2025-54764 — Observable Timing Discrepancy in ARM | cvebase