CVE-2025-66442Covert Timing Channel in ARM Mbed TLS

CWE-385Covert Timing ChannelCWE-733Compiler Optimization Removal or Modification of Security-critical Code18 documents8 sources
Severity
5.1MEDIUMNVD
EPSS
0.0%
top 94.26%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
ARM Mbed TLSARM Tf-psa-crypto
Timeline
PublishedApr 1
Latest updateApr 2

Description

In Mbed TLS through 4.0.0, there is a compiler-induced timing side channel (in RSA and CBC/ECB decryption) that only occurs with LLVM's select-optimize feature. TF-PSA-Crypto through 1.0.0 is also affected.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 1.4 | Impact: 3.6

Affected Packages2 packages

NVDarm/mbed_tls4.0.0

🔴Vulnerability Details

3
CVEList
CVE-2025-66442: In Mbed TLS through 42026-04-01
GHSA
GHSA-56v8-wv3m-qgg6: In Mbed TLS through 42026-04-01
OSV
CVE-2025-66442: In Mbed TLS through 42026-04-01

📋Vendor Advisories

2
Red Hat
mbedtls: Mbed TLS and TF-PSA-Crypto: Information disclosure via compiler-induced timing side channel2026-04-01
Debian
CVE-2025-66442: mbedtls - In Mbed TLS through 4.0.0, there is a compiler-induced timing side channel (in R...2025

🕵️Threat Intelligence

11
Wiz
CVE-2026-34873 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-34871 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-25835 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-34876 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-25833 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
Bugzilla
CVE-2025-66442 micropython: Mbed TLS and TF-PSA-Crypto: Information disclosure via compiler-induced timing side channel [fedora-all]2026-04-02
CVE-2025-66442 — Covert Timing Channel in ARM Mbed TLS | cvebase