anonhaven
Ad

CVE-2025-66442

MEDIUM CVSS 3.1: 5.1 EPSS 0.02%
Updated Apr 03, 2026
Arm
Parameter Value
CVSS 5.1 (MEDIUM)
Affected Versions before 4.0.0
Type CWE-385
Vendor Arm
Public PoC No

In Mbed TLS through 4.0.0, there is a compiler-induced timing side channel (in RSA and CBC/ECB decryption) that only occurs with LLVM's select-optimize feature. TF-PSA-Crypto through 1.0.0 is also affected.

Attack Parameters

Attack Vector
Local
Requires local access
Attack Complexity
High
Difficult to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
None
No data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-385

Vulnerable Products 2

Configuration From (including) Up to (excluding)
Arm Mbed_Tls
cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:*
 <= 4.0.0
Arm Tf-Psa-Crypto
cpe:2.3:a:arm:tf-psa-crypto:*:*:*:*:*:*:*:*
 <= 1.0.0

References 4

https://github.com/Mbed-TLS/TF-PSA-Crypto/releases
cve@mitre.org
https://github.com/Mbed-TLS/mbedtls/releases
cve@mitre.org
https://mbed-tls.readthedocs.io/en/latest/security-advisories/
cve@mitre.org
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-…
cve@mitre.org
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-34877

Arm

9.8

CVE-2026-34876

Arm

7.5

CVE-2026-34873

Arm

9.1

CVE-2026-34872

Arm

9.1

CVE-2026-34874

Arm

7.5