Data Transmission Without Encryption Vulnerability in Apache NimBLE
CVE-2025-52435

7.5HIGH

Key Information:

Vendor

Apache
Status
Apache Mynewt Nimble
Vendor
CVE Published:
10 January 2026

What is CVE-2025-52435?

A vulnerability exists in Apache NimBLE due to improper handling of the Pause Encryption procedure on the Link Layer. This flaw may leave an existing encrypted connection unprotected, allowing eavesdroppers to intercept and observe subsequent data transmissions. Users are advised to upgrade to version 1.9.0 or later to mitigate this risk effectively.

Affected Version(s)

Apache Mynewt NimBLE 0 <= 1.8.0

References

https://github.com/apache/mynewt-nimble/commit/164f1c23c1...
patch
https://github.com/apache/mynewt-nimble/commit/ec3d75e909...
patch
https://lists.apache.org/thread/ow8dzpsqfh9llfclh5fzh6z23...
vendor-advisory

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Henrik Schnor <henrik.schnor@mailbox.org>
JSON
.