CVE-2025-11932 - How a Non-Constant Time PSK Binder Leak Can Break Your TLS 1.3 Security

CVE-2025-11932 is a newly disclosed vulnerability affecting certain TLS 1.3 server implementations. The issue? The server used a non-constant time method to verify the PSK (Pre-Shared Key) binder during the handshake. This flaw can leak subtle timing information, which attackers may exploit to recover sensitive secrets and impersonate clients.

Let’s break down what happened, why it matters, and show some code that demonstrates the attack potential—in terms anyone can follow.

What’s the Big Deal with TLS 1.3 and PSK Binders?

TLS 1.3 is the secure communications protocol most sites default to now, especially for HTTPS and other encrypted traffic. It’s fast and secure. One of its important features is support for Pre-Shared Keys (PSKs), which allow two endpoints that already share a secret to set up a secure connection very quickly—often called session resumption.

When a client wants to resume a session, it proves knowledge of the PSK by including a “binder” value. This value is supposed to be checked by the server in a way that does not reveal anything based on how long it takes or how the server responds, even if the binder is wrong.

But some servers, affected by CVE-2025-11932, check this binder with code that runs faster or slower depending on the correctness of parts of the value. In security speak, it’s not “constant time.” Even tiny differences can be used by attackers with enough network access.

Why Does Constant-Time Verification Matter?

Imagine a safe with a lock you turn: if the pins click at slightly different speeds for the correct key versus the wrong key, a determined burglar with sensitive equipment can figure out the key, one part at a time.

Timing attacks on cryptography work the same way. Even if the server is always sending back a generic error, attackers can analyze tiny differences in response times, learning which bytes of the binder are correct and which aren’t—eventually reconstructing the PSK itself.

Here’s an introductory writeup on timing attacks, and here’s the official CVE-2025-11932 record.

Here’s some simplified pseudocode showing how the broken check might have looked

// BAD: Not constant time
bool check_psk_binder(byte* input, byte* correct, int len) {
    for (int i = ; i < len; i++) {
        if (input[i] != correct[i])
            return false;  // returns early
    }
    return true;
}

This function returns as soon as it finds the first incorrect byte. An attacker could send different binder guesses and time how long it takes to respond. If they guess the first byte correctly, the server takes longer to reject the binder, and so on.

A more secure, constant-time version

// GOOD: Constant-time check
bool check_psk_binder(byte* input, byte* correct, int len) {
    uint8_t result = ;
    for (int i = ; i < len; i++) {
        result |= input[i] ^ correct[i];
    }
    return result == ;
}

Here, every byte is always compared, and the result is only decided after the loop, making timing measurements useless.

Exploit Details—How an Attacker Uses This

1. Setup: The attacker gains a lot of network access, maybe as a malicious user on the same Wi-Fi or inside a data center.
2. Spray and Listen: The attacker sends a huge number of TLS “Client Hello” packets with mostly-wrong binder values, but carefully fuzzes one binder byte at a time.
3. Timing Analysis: By measuring server response times for each guess, the attacker finds out if they guessed an extra correct byte (since the server takes a little longer to respond).

Byte-by-Byte Recovery: Repeats for each byte, reconstructing the full PSK binder.

5. Impersonation: Once in possession of the PSK, the attacker can resume TLS sessions as the legitimate client, bypassing normal authentication.

Here’s a simple Python snippet that an attacker might use for this kind of bytewise probe

import time
import socket

def send_psk_binder_guess(host, port, guess_binder):
    s = socket.socket()
    s.connect((host, port))
    # Construct Client Hello with guess_binder as the PSK binder
    s.sendall(build_client_hello(guess_binder))
    start = time.time()
    resp = s.recv(1024)
    elapsed = time.time() - start
    s.close()
    return elapsed

Who’s Affected?

This flaw affected servers using vulnerable TLS libraries—often custom code or those that didn’t properly use the recommended RFC 5246 Section 6.3 constant-time comparison routines.

Some open source libraries have already patched this. Check your vendor’s security advisories and upgrade now!

- OpenSSL security advisories
- Mozilla NSS security advisories

How to Defend

1. Always use constant-time compare functions for sensitive cryptographic operations, especially authentication tokens, passwords, and PSK binders!
2. Update Your Servers: Make sure your TLS stack is up to date with the official patches for CVE-2025-11932.
3. Audit Custom Code: If you wrote your own binder checks, check for early returns and any secrets-dependent branches.

Further Reading

- Timing Attacks in Practice
- How to Safely Compare Secrets
- TLS 1.3 RFC
- CVE-2025-11932 at NVD

Summary

CVE-2025-11932 shows how minor protocol mistakes can lead to big problems. If your server compares secret values too fast—telling attackers when they got a little closer to the answer—they can slowly reconstruct your secrets. Timing attacks are subtle but powerful, and this flaw is a great reminder for us all: for cryptography, “how you check” matters as much as “what you check.”

Timeline

Published on: 11/21/2025 23:15:44 UTC
Last modified on: 12/08/2025 15:39:21 UTC