Hi Matt,

First, thank you very much for backporting security fixes. The maintenance team is aware that 3 years is quite short for a long-time support branch, but we simply don't have the resources to maintain many old branches.

For CVE-2025-59438 (PKCS7 padding decryption through PSA), I think you can easily cherry-pick the changes in the library, and run the existing tests to ensure that this doesn't break functionality. Backporting the tests to ensure that the new code is constant-time would be a lot harder.

For CVE-2025-54764 (RSA side channels), I think the only realistic path is to copy bignum_core.c and at least parts of bignum.c from 3.6, and then probably backport some related changes to rsa*.c. Our fix relies heavily on the groundwork that we had done in early 3.x versions in rewriting parts of bignum to be caller-allocating and constant-time.

You may consider skipping CVE-2025-54764, depending on your threat model. This patch defends against a timing attack that can recover secrets in a single trace. The code is also protected by randomized blinding, which defeats a large class of attacks that require many traces. Obtaining precise timing measurements in a single trace is easy in some environments, such as microcontrollers, or operating systems attacking a hypervisor or secure environment. It is a lot harder from user-mode software running on a PC/server-style CPU. That being said, attack techniques only ever get better, and published attack techniques tend to lag behind unpublished ones. So I am definitely not claiming that CVE-2025-54764 is irrelevant for a typical Linux or Windows environment.

Best of luck,