EUVD-2025-209171
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Description
In Mbed TLS through 4.0.0, there is a compiler-induced timing side channel (in RSA and CBC/ECB decryption) that only occurs with LLVM's select-optimize feature. TF-PSA-Crypto through 1.0.0 is also affected.
Analysis
Compiler-induced timing side channel in Mbed TLS through 4.0.0 and TF-PSA-Crypto through 1.0.0 allows information disclosure of RSA private keys and CBC/ECB-decrypted plaintext when LLVM's select-optimize feature is enabled during compilation. The vulnerability arises from compiler optimization that violates constant-time implementation guarantees, potentially exposing cryptographic material to timing analysis attacks despite developers' explicit use of constant-time code patterns.
Technical Context
Mbed TLS and TF-PSA-Crypto are widely-used cryptographic libraries that implement RSA and symmetric encryption (CBC, ECB modes). The vulnerability involves a compiler-specific issue where LLVM's select-optimize optimization pass transforms conditional logic in constant-time RSA and block cipher decryption routines into data-dependent timing variations. The root cause falls under timing side-channel weakness (CWE-208, Information Disclosure via Timing Attack) - the libraries contain correctly-written constant-time implementations, but the compiler optimization defeats these protections. This affects any application compiled with LLVM select-optimize enabled, including embedded systems, TLS implementations, and cryptographic services relying on these libraries for secure key material protection.
Affected Products
Mbed TLS versions through 4.0.0 are affected, and TF-PSA-Crypto (ARM's PSA Crypto implementation) versions through 1.0.0 are similarly vulnerable. The vulnerability only manifests when code is compiled with LLVM's select-optimize feature enabled; applications compiled with other toolchains or with select-optimize disabled are unaffected. Both libraries are distributed via GitHub releases and are embedded in numerous TLS stacks, IoT platforms, and cryptographic services. Specific version ranges vary by product, but the vulnerability applies to all versions of both libraries up to the dates specified (Mbed TLS 4.0.0 release and TF-PSA-Crypto 1.0.0 release). Users should consult the official Mbed TLS security advisories at https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-compiler-induced-constant-time-violations/ for a complete list of affected releases and patched versions.
Remediation
Upgrade Mbed TLS to a patched version released after 4.0.0 and upgrade TF-PSA-Crypto to a patched version released after 1.0.0. Consult the official release pages (https://github.com/Mbed-TLS/mbedtls/releases and https://github.com/Mbed-TLS/TF-PSA-Crypto/releases) for exact patched version numbers. As an interim mitigation, disable LLVM's select-optimize feature during compilation by avoiding aggressive optimization flags or explicitly disabling select-optimize in build configurations. For applications where recompilation is impractical, review whether select-optimize is actually enabled in the current build (it is not enabled by default); if not, the system is unaffected. Verify patched versions have been released by checking the Mbed TLS security advisory at https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-compiler-induced-constant-time-violations/.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today