CVE-2025-59438Observable Timing Discrepancy in ARM Mbed TLS

CWE-208Observable Timing Discrepancy6 documents6 sources
Severity
5.3MEDIUMNVD
EPSS
0.0%
top 87.19%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mbed MbedtlsARM Mbed TLS
Timeline
PublishedOct 21

Description

Mbed TLS through 3.6.4 has an Observable Timing Discrepancy.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

NVDarm/mbed_tls< 3.6.5
Debianmbed/mbedtls< 3.6.5-0.1~deb13u1+1

🔴Vulnerability Details

3
CVEList
CVE-2025-59438: Mbed TLS through 32025-10-21
GHSA
GHSA-mqc9-9p37-h763: Mbed TLS through 32025-10-21
OSV
CVE-2025-59438: Mbed TLS through 32025-10-21

📋Vendor Advisories

1
Debian
CVE-2025-59438: mbedtls - Mbed TLS through 3.6.4 has an Observable Timing Discrepancy.2025

💬Community

1
Bugzilla
CVE-2025-59438 micropython: MbedTLS Padding oracle through timing of cipher error reporting [fedora-all]2025-10-21
CVE-2025-59438 — Observable Timing Discrepancy in ARM | cvebase