Files
Deepak Rathore 0eda0f3c55 mbedtls: set CVE_STATUS for CVE-2025-66442
Analysis:
- The Mbed TLS advisory states the issue occurs when LLVM
  select-optimize is enabled. [1]
- The same advisory also states that Arm/x86 builds with
  MBEDTLS_HAVE_ASM enabled are not affected. The default mbedtls
  configuration in this branch enables MBEDTLS_HAVE_ASM.
- NVD also describes the issue as occurring only with LLVM's
  select-optimize feature. [2]
- The mbedtls recipes now evaluate the effective build flags across
  target, native, and nativesdk variants, handle the supported
  -mllvm spellings, and only mark the CVE unpatched when the
  vulnerable LLVM option combination is explicitly enabled and the
  Arm/x86 MBEDTLS_HAVE_ASM carve-out does not apply.
- When those conditions are not met, the current mbedtls build
  configuration is not affected.
- Hence ignoring/deferred the CVE for now.

Reference:
[1] https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-compiler-induced-constant-time-violations/
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-66442

Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-07-07 11:22:40 -07:00
..
2026-01-20 08:27:11 -08:00
2025-07-07 10:00:53 -07:00
2025-12-10 08:56:12 -08:00
2026-03-27 09:08:53 -07:00
2026-06-26 19:59:33 -07:00
2026-02-25 09:49:49 -08:00
2026-06-07 18:21:49 -07:00
2026-01-12 10:25:56 -08:00
2025-03-20 08:46:55 -07:00
2025-07-15 00:25:32 -07:00
2026-06-28 00:59:11 -07:00
2025-11-10 20:31:54 -08:00
2023-02-20 00:23:02 -08:00
2025-12-08 23:22:19 -08:00