cve 2025 52496

CVE-2025-52496 is a vulnerability in Mbed TLS versions before 3.6.4 involving a race condition in the AESNI detection path. Under specific compiler and multithreaded conditions, this race can force the library to fall back to a software AES/GCM path, exposing cryptographic operations to side-channel attacks that allow AES key extraction or GCM forgeries. Azure Linux is a Microsoft product publicly attested to include the vulnerable library, though this attestation is a scoped inventory statement and does not guarantee that no other Microsoft artifact contains the same code. The discussion on WindowsForum.com covers the technical details of the vulnerability, its impact on cryptographic security, and the scope of affected Microsoft products.