diff --git a/doc/releases/release-notes-4.1.rst b/doc/releases/release-notes-4.1.rst
index a3830fa95f455..5c7e3dec3ce90 100644
--- a/doc/releases/release-notes-4.1.rst
+++ b/doc/releases/release-notes-4.1.rst
@@ -42,6 +42,21 @@ The following CVEs are addressed by this release:
`_
* :cve:`2025-27810` `Potential authentication bypass in TLS handshake
`_
+* :cve:`2025-47917` `Misleading memory management in mbedtls_x509_string_to_names()
+ `_
+* :cve:`2025-48965` `NULL pointer dereference after using mbedtls_asn1_store_named_data()
+ `_
+* :cve:`2025-49087` `Timing side-channel in block cipher decryption with PKCS#7 padding
+ `_
+* :cve:`2025-49600` `Unchecked return value in LMS verification allows signature bypass
+ `_
+* :cve:`2025-49601` `Out-of-bounds read in mbedtls_lms_import_public_key()
+ `_
+* :cve:`2025-52496` `Race condition in AESNI support detection
+ `_
+* :cve:`2025-52497` `Heap buffer under-read when parsing PEM-encrypted material
+ `_
+
More detailed information can be found in:
https://docs.zephyrproject.org/latest/security/vulnerabilities.html
@@ -54,7 +69,8 @@ These GitHub issues were addressed since the previous 4.1.0 tagged release:
Mbed TLS
********
-Mbed TLS was updated to version 3.6.3 (from 3.6.2). The release notes can be found at:
+Mbed TLS was updated to version 3.6.4 (from 3.6.2). The release notes can be found at:
+https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.4
https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.3
Mbed TLS 3.6 is an LTS release that will be supported
diff --git a/west.yml b/west.yml
index a3716d8dc10aa..21c2a0ebb345d 100644
--- a/west.yml
+++ b/west.yml
@@ -298,7 +298,7 @@ manifest:
revision: 1ed1ddd881c3784049a92bb9fe37c38c6c74d998
path: modules/lib/gui/lvgl
- name: mbedtls
- revision: 5f889934359deccf421554c7045a8381ef75298f
+ revision: 85440ef5fffa95d0e9971e9163719189cf34d979
path: modules/crypto/mbedtls
groups:
- crypto