CVE-2025-49087
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-07-20
Last updated on: 2025-08-07
Assigner: MITRE
Description
Description
In Mbed TLS 3.6.1 through 3.6.3 before 3.6.4, a timing discrepancy in block cipher padding removal allows an attacker to recover the plaintext when PKCS#7 padding mode is used.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| arm | mbed_tls | From 3.6.1 (inc) to 3.6.4 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-385 | Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a timing discrepancy in the block cipher padding removal process in Mbed TLS versions 3.6.1 through 3.6.3 before 3.6.4. Specifically, when PKCS#7 padding mode is used, an attacker can exploit the timing difference to recover the plaintext data.
How can this vulnerability impact me? :
An attacker can use this vulnerability to recover plaintext data from encrypted communications, potentially exposing sensitive information without needing to break the encryption itself.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70