{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-66442", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-01T20:00:06.815Z", "dateReserved": "2025-12-01T00:00:00.000Z", "datePublished": "2026-04-01T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-01T19:28:05.685Z"}, "descriptions": [{"lang": "en", "value": "In Mbed TLS through 4.0.0, there is a compiler-induced timing side channel (in RSA and CBC/ECB decryption) that only occurs with LLVM's select-optimize feature. TF-PSA-Crypto through 1.0.0 is also affected."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/Mbed-TLS/mbedtls/releases"}, {"url": "https://mbed-tls.readthedocs.io/en/latest/security-advisories/"}, {"url": "https://github.com/Mbed-TLS/TF-PSA-Crypto/releases"}, {"url": "https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-compiler-induced-constant-time-violations/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-385", "lang": "en", "description": "CWE-385 Covert Timing Channel"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.1, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T19:59:38.178674Z", "id": "CVE-2025-66442", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T20:00:06.815Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.1, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-66442", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-01T19:59:38.178674Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-385", "description": "CWE-385 Covert Timing Channel"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T19:58:42.109Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/Mbed-TLS/mbedtls/releases"}, {"url": "https://mbed-tls.readthedocs.io/en/latest/security-advisories/"}, {"url": "https://github.com/Mbed-TLS/TF-PSA-Crypto/releases"}, {"url": "https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-compiler-induced-constant-time-violations/"}], "descriptions": [{"lang": "en", "value": "In Mbed TLS through 4.0.0, there is a compiler-induced timing side channel (in RSA and CBC/ECB decryption) that only occurs with LLVM's select-optimize feature. TF-PSA-Crypto through 1.0.0 is also affected."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-01T19:28:05.685Z"}}}, "cveMetadata": {"cveId": "CVE-2025-66442", "state": "PUBLISHED", "dateUpdated": "2026-04-01T20:00:06.815Z", "dateReserved": "2025-12-01T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-01T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:*", "matchCriteriaId": "E63DA70A-502D-4389-B0BE-51F0227F1151", "versionEndIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:arm:tf-psa-crypto:*:*:*:*:*:*:*:*", "matchCriteriaId": "0A5B330B-0928-4C3E-9CC2-B2E4D81D96DE", "versionEndIncluding": "1.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Mbed TLS through 4.0.0, there is a compiler-induced timing side channel (in RSA and CBC/ECB decryption) that only occurs with LLVM's select-optimize feature. TF-PSA-Crypto through 1.0.0 is also affected."}], "id": "CVE-2025-66442", "lastModified": "2026-04-03T20:04:38.487", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.4, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-01T20:16:22.107", "references": [{"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://github.com/Mbed-TLS/TF-PSA-Crypto/releases"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://github.com/Mbed-TLS/mbedtls/releases"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://mbed-tls.readthedocs.io/en/latest/security-advisories/"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-compiler-induced-constant-time-violations/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-385"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "mbedtls: Mbed TLS and TF-PSA-Crypto: Information disclosure via compiler-induced timing side channel", "id": "2453969", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453969"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-733", "details": ["In Mbed TLS through 4.0.0, there is a compiler-induced timing side channel (in RSA and CBC/ECB decryption) that only occurs with LLVM's select-optimize feature. TF-PSA-Crypto through 1.0.0 is also affected.", "A flaw was found in Mbed TLS and TF-PSA-Crypto. This vulnerability is a compiler-induced timing side channel that occurs when the LLVM compiler's select-optimize feature is enabled. A remote attacker could potentially exploit this timing difference during RSA and CBC/ECB decryption operations to infer sensitive information, such as cryptographic keys."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2025-66442", "public_date": "2026-04-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-66442\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-66442\nhttps://github.com/Mbed-TLS/TF-PSA-Crypto/releases\nhttps://github.com/Mbed-TLS/mbedtls/releases\nhttps://mbed-tls.readthedocs.io/en/latest/security-advisories/\nhttps://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-compiler-induced-constant-time-violations/"], "statement": "This Moderate impact flaw in Mbed TLS and TF-PSA-Crypto is a compiler-induced timing side channel. When the LLVM compiler's select-optimize feature is enabled, a remote attacker could potentially exploit timing differences during RSA and CBC/ECB decryption operations to infer sensitive information, such as cryptographic keys. This affects Red Hat community projects such as Fedora and EPEL.", "threat_severity": "Moderate"}