Mbed TLS is now part of TrustedFirmware.org.

Side channel attack on ECDSA

Title Side channel attack on ECDSA
CVE CVE-2019-18222
Date 15th January 2020
Affects All versions of Mbed TLS and Mbed Crypto
Impact The private key is recoverable through side channels.
Severity High
Credit Alejandro Cabrera Aldaya and Billy Brumley


Our bignum implementation is not constant time/constant trace, so side channel attacks can retrieve the blinded value, factor it (as it is smaller than RSA keys and not guaranteed to have only large prime factors), and then, by brute force, recover the key. Reported by Alejandro Cabrera Aldaya and Billy Brumley.


If the adversary is in the position to launch a cache attack, then they may be able to recover the private key.


Affected users should upgrade to one of the most recent versions of Mbed TLS, including 2.20.0, 2.16.4 or 2.7.13 or later. Similarly, affected users should upgrade to the most recent version of Mbed Crypto, including 3.0.1 or later.

edit: Earlier, this document falsely stated that Mbed Crypto 3.0.0 fixes this issue. This is not true, Mbed Crypto 3.0.1 is the earliest version with the fix. Users should upgrade to Mbed Crypto 3.0.1 or later.


There are no known workarounds.

Like this?

Security Advisories



Last updated:
Jan 27, 2020


Want to stay up to date?

To sign up for Mbed TLS news, log in to or create an Mbed account and update your marketing preferences.