CVE-2025-54764: 
Mbed TLS vulnerability analysis and mitigation

CVE-2025-54764 affects Mbed TLS versions up to 3.6.4, disclosed on October 15, 2025. The vulnerability involves a local timing attack against certain RSA operations and direct calls to mbedtlsmpimodinv or mbedtlsmpi_gcd functions. This security issue was independently discovered by two teams: the SSBleed team and the M-Step team (Mbed Advisory).

The vulnerability exists in Mbed TLS's modular inversion routine and GCD routine, which are susceptible to local timing attacks. The affected operations include RSA key generation with any API, use of mbedtlsrsacomplete() for importing incomplete RSA private keys, and additional vulnerabilities when MBEDTLSRSANO_CRT is enabled. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.2 MEDIUM (AttackerKB).

When exploited, the vulnerability allows an attacker to fully recover the RSA private key during vulnerable RSA operations. For direct calls to mbedtlsmpimodinv() or mbedtlsmpi_gcd(), the attacker can recover both inputs. The attack can be executed by a local attacker who can run code on the same core as the victim, without requiring elevated privileges (Mbed Advisory).

Applications not using RSA private keys or not directly calling mbedtlsmpiinvmod() or mbedtlsmpigcd() are not affected. For applications that don't generate RSA keys or import private RSA keys with mbedtlsrsaimport()+mbedtlsrsacomplete(), recompiling without MBEDTLSRSANOCRT provides mitigation. The permanent fix is to upgrade to Mbed TLS 3.6.5 or TF-PSA-Crypto 1.0 (Mbed Advisory).