Executive Summary

CVE-2026-25835 is a vulnerability in the Mbed TLS library's Platform Security Architecture (PSA) random number generator. It involves improper handling or cloning of the PSA random generator state, which can lead to security weaknesses in cryptographic operations that rely on randomness.

Specifically, the vulnerability allows attackers to predict or reproduce random values because the random number generator's state can be duplicated or cloned incorrectly. This undermines the cryptographic strength of operations depending on secure randomness.

The issue affects Mbed TLS versions before 3.6.6 and TF-PSA-Crypto before 1.1.0. Fixes include introducing fork protection mechanisms and new functions to prevent random generator state duplication and ensure secure random number generation.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by weakening the security of cryptographic operations that depend on the random number generator in Mbed TLS or TF-PSA-Crypto.

If an attacker can predict or reproduce random values due to this flaw, they may be able to compromise encryption keys, authentication tokens, or other security mechanisms that rely on randomness, potentially leading to unauthorized access or data breaches.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves improper handling or cloning of the PSA random number generator state within the Mbed TLS library, which is a software component rather than a network service. Detection typically involves verifying the version of Mbed TLS or TF-PSA-Crypto in use to determine if it is before the fixed versions (Mbed TLS before 3.6.6 and TF-PSA-Crypto before 1.1.0).

There are no specific network detection commands or signatures provided for this vulnerability. Instead, detection should focus on software inventory and version checks.

• Check the installed version of Mbed TLS: For example, if Mbed TLS is installed as a package, use commands like `mbedtls_version` if available, or check package manager info, e.g., `dpkg -l | grep mbedtls` on Debian-based systems.
• If Mbed TLS is built from source, check the version in the source directory or the version string in the library headers.
• Review application dependencies to identify if they link against vulnerable versions of Mbed TLS or TF-PSA-Crypto.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation involves updating the affected libraries to versions that include the fix for this vulnerability.

• Upgrade Mbed TLS to version 3.6.6 or later.
• Upgrade TF-PSA-Crypto to version 1.1.0 or later.

The fixes include fork protection mechanisms and new functions to prevent random generator state duplication and ensure secure random number generation.

If immediate upgrade is not possible, review the security advisory for any available work-arounds or temporary mitigations, such as avoiding process forking after random generator initialization.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify how CVE-2026-25835 affects compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0