Vulnerability DatabaseCVE-2025-52496

CVE-2025-52496:
Mbed TLS vulnerability analysis and mitigation

Overview

Mbed TLS before version 3.6.4 contains a race condition vulnerability in AESNI detection when certain compiler optimizations occur (NVD). The vulnerability was disclosed on July 4, 2025, and affects the cryptographic functionality of the Mbed TLS library.

Technical details

The vulnerability exists as a race condition in the AESNI (Advanced Encryption Standard New Instructions) detection mechanism when specific compiler optimizations are applied. The issue has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N, indicating local access required with high attack complexity but no privileges or user interaction needed (NVD, Ubuntu).

Impact

The vulnerability can allow an attacker to extract an AES key from a multithreaded program or perform a GCM (Galois/Counter Mode) forgery. This poses a significant risk to the confidentiality and integrity of encrypted communications in affected systems (NVD).

Mitigation and workarounds

The primary mitigation is to upgrade Mbed TLS to version 3.6.4 or later, which contains the fix for this vulnerability. Organizations using affected versions should prioritize this update to prevent potential exploitation (NVD).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a customer? See how Wiz maps CVEs like this one to real cloud attack paths.

Watch 12-min demo

7.8

Score

Published July 4, 2025

Severity HIGH

CNA Score 7.8

Affected Technologies

Mbed TLS
Linux Fedora

Has Public Exploit Yes

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 3.4

Exploitation Probability (EPSS) N/A

Affected packages and libraries

mbedtls
cpe:2.3:a:arm:mbed_tls

Sources

Alpine Security Tracker
- Alpine 3.20, 3.21, 3.22, edge Severity HIGHHas FixAdded at: Jul 23, 2025
- Alpine 3.23 Severity HIGHHas FixAdded at: Dec 04, 2025
Debian Security Tracker
- Debian 11, 13 Severity HIGHHas FixAdded at: Jul 06, 2025
- Debian 12 Severity HIGHNo FixAdded at: Jul 06, 2025
- Debian 14 Severity HIGHHas FixAdded at: Aug 10, 2025
Echo
- Echo Severity HIGHHas FixAdded at: Nov 18, 2025
Ubuntu Security Tracker
- Ubuntu 16.04, 18.04, 20.04, 22.04, 24.04, 25.04 Severity MEDIUMNo FixAdded at: Oct 09, 2025
- Ubuntu 25.10 Severity MEDIUMNo FixAdded at: Oct 13, 2025
NVD
- Linux Severity HIGHHas FixAdded at: Sep 23, 2025

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related Mbed TLS vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-47917	CRITICAL	9.8	Mbed TLS	mbedtls	No	Yes	Jul 20, 2025
CVE-2025-48965	HIGH	7.5	Mbed TLS	cpe:2.3:a:arm:mbed_tls	No	Yes	Jul 20, 2025
CVE-2025-54764	MEDIUM	6.2	Mbed TLS	cpe:2.3:a:arm:mbed_tls	No	Yes	Oct 20, 2025
CVE-2025-59438	MEDIUM	5.3	Mbed TLS	mpy-tools	No	Yes	Oct 21, 2025
CVE-2025-49087	LOW	3.7	Mbed TLS	cpe:2.3:a:arm:mbed_tls	No	Yes	Jul 20, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2025-52496: Mbed TLS vulnerability analysis and mitigation