#VU124854 Information Exposure Through Timing Discrepancy in mbed TLS and TF-PSA-Crypto - CVE-2025-66442

Description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper protection against side-channel leakage in padding validation code when processing chosen ciphertexts and measuring decryption timing precisely. A remote attacker can submit crafted ciphertexts and observe precise decryption timing to disclose sensitive information.

This issue affects RSA PKCS#1 v1.5 decryption and one-and-zeros unpadding, and may enable recovery of ciphertext contents but not the key. It is known to occur when TF-PSA-Crypto or Mbed TLS is built with Clang 18 with the LLVM select-optimize feature enabled for 64-bit RISC-V.

Remediation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

The vendor recommends rebuilding TF-PSA-Crypto or Mbed TLS with the LLVM option select-optimize disabled, for example by using only default optimization flags such as -O2 or -Os.

External links

• https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-compiler-induced-constant-time-violations/
• https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-1/