CVE-2025-12888

Severity CVSS v4.0:

LOW

Type:

Unavailable / Other

Publication date:

21/11/2025

Last modified:

21/11/2025

Description

Vulnerability in X25519 constant-time cryptographic implementations due to timing side channels introduced by compiler optimizations and CPU architecture limitations, specifically with the Xtensa-based ESP32 chips. If targeting Xtensa it is recommended to use the low memory implementations of X25519, which is now turned on as the default for Xtensa.

Impact

Vector 4.0

CVSS:4.0/AV:P/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N CVSS v4.0 Severity and Metrics:

Base Score: 1.00 LOW
Vector: CVSS:4.0/AV:P/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N

Attack Vector (AV): Physical
Attack Complexity (AC): High
Attack Requirements (AT): Present
Privileges Required (PR): Low
User Interaction (UI): None
Confidentiality (VC): Low
Integrity (VI): None
Availability (VA): None
Confidentiality (SC): Low
Integrity (SI): Low
Availability (SA): None

Base Score 4.0

1.00

Severity 4.0

LOW

References to Advisories, Solutions, and Tools

https://https://github.com/wolfSSL/wolfssl/pull/9275