What is the CVSS score of CVE-2025-49087?

CVE-2025-49087 has a CVSS 3.1 base score of 4.0 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N. EPSS exploitation probability: 0.4%.

Is there a public PoC exploit available for CVE-2025-49087?

Yes, a public proof-of-concept exploit is available for CVE-2025-49087. Prioritise patching immediately. EPSS: 0.4%.

Mbed TLS CVE-2025-49087

MEDIUM

Covert Timing Channel (CWE-385)

N/A vendor:alpine

Information Disclosure

4.0

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

4.0 MEDIUM

AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

PoC Detected

Jun 05, 2026 - 19:52 NVD

https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2025-06-5.md

CVSS changed

Jun 05, 2026 - 19:52 NVD

4.0 (MEDIUM)

Analysis Generated

May 27, 2026 - 23:14 vuln.today

DescriptionCVE.org

Alpine Linux: mbedtls fixed in 3.6.4-r0

AnalysisAI

Mbed TLS on Alpine Linux contains a vulnerability addressed by upgrading the Alpine package to version 3.6.4-r0. The specific flaw, its CWE classification, and CVSS severity are not disclosed in available intelligence - only the fix version and affected platform (Alpine Linux) are confirmed. With an EPSS score of 0.43% (63rd percentile), exploitation probability is low in absolute terms, though the percentile ranking places it above the majority of tracked CVEs. No public exploit code or active exploitation has been identified at time of analysis.

Technical ContextAI

Mbed TLS (formerly PolarSSL) is a widely embedded open-source TLS/SSL and cryptographic library maintained by Arm, commonly used in IoT, embedded systems, and lightweight Linux distributions such as Alpine Linux. Alpine Linux packages it under the 'mbedtls' package name, and the fix is delivered as Alpine package version 3.6.4-r0, corresponding to upstream Mbed TLS version 3.6.4. The nature of the underlying vulnerability - whether it affects TLS handshake logic, certificate parsing, cryptographic primitive implementation, or memory management - is not disclosed in available data. No CWE root cause class has been assigned, preventing deeper technical classification.

RemediationAI

The primary fix is to upgrade the Alpine Linux 'mbedtls' package to version 3.6.4-r0 or later using the standard Alpine package manager: 'apk upgrade mbedtls'. This is a vendor-confirmed fix per Alpine's own reporting. No workarounds are documented in available intelligence; given that the vulnerability specifics are undisclosed, generic compensating controls cannot be responsibly recommended without risking under- or over-mitigation. Operators running Alpine-based containers or systems with mbedtls as a dependency should rebuild and redeploy affected images after upgrading. No upstream Arm/Mbed TLS advisory URL was available in the provided intelligence - consult https://github.com/Mbed-TLS/mbedtls/releases and the Alpine Linux security tracker for additional context.

CVE-2025-49087 vulnerability details – vuln.today

Back

Mbed TLS CVE-2025-49087

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code