CVE-2025-66442
In Mbed TLS through 4.0.0, there is a compiler-induced timing side channel (in RSA and CBC/ECB decryption) that only occurs with LLVM's select-optimize feature. TF-PSA-Crypto through 1.0.0 is also affected.
-
exploitation prediction scoring system. probability this vulnerability will be exploited in the wild in the next 30 days.
cvss
common vulnerability scoring system v3.1. measures intrinsic severity on a 0-10 scale.
epss
0.0001
kev
no
cisa known exploited vulnerabilities catalog. confirmed active exploitation.
CVSS 3.1
Common Vulnerability Scoring System v3.1
5.1
/ 10
MEDIUM
exploitability
Attack Vector
Local
Attack Vector (AV:L): requires local access. attacker must have shell access or physical login.
Attack Complexity
High
Attack Complexity (AC:H): exploitation requires specific conditions outside the attacker's control (race condition, non-default config, etc).
Privileges Required
None
Privileges Required (PR:N): no authentication needed. any anonymous attacker can exploit this.
User Interaction
None
User Interaction (UI:N): no victim action needed. fully exploitable without user interaction.
impact
Scope
Unchanged
Scope (S:U): impact limited to the vulnerable component.
Confidentiality
High
Confidentiality (C:H): total information disclosure. attacker gains access to all data within the component.
Integrity
None
Integrity (I:N): no integrity impact.
Availability
None
Availability (A:N): no availability impact.
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
activity density
rdintel assessment
composite score from 15+ signals including exploitation status, epss probability, detection coverage, and community attention. 0-100 scale.
sign in to view full intelligence
pocs, detection rules, timeline, advisories, and more