diff --git a/mbedtls-3.6.5.tar.bz2 b/mbedtls-3.6.5.tar.bz2
new file mode 100644
index 0000000..715932a
--- /dev/null
+++ b/mbedtls-3.6.5.tar.bz2
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4a11f1777bb95bf4ad96721cac945a26e04bf19f57d905f241fe77ebeddf46d8
+size 5367178
diff --git a/micropython.changes b/micropython.changes
index f3c8b59..a3e5c11 100644
--- a/micropython.changes
+++ b/micropython.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Wed Oct 22 12:19:48 UTC 2025 - Dominik Heidler <dheidler@suse.de>
+
+- Build with mbedtls-3.6.5 instead of bundled 3.6.2 to fix CVE-2025-59438
+
 -------------------------------------------------------------------
 Fri Aug 15 08:13:39 UTC 2025 - Dominik Heidler <dheidler@suse.de>
 
diff --git a/micropython.spec b/micropython.spec
index 11df842..9141caa 100644
--- a/micropython.spec
+++ b/micropython.spec
@@ -27,6 +27,7 @@ License:        MIT
 URL:            https://micropython.org/
 Source0:        %{name}-%{version}.tar.xz
 Source1:        prepare.sh
+Source2:        https://github.com/Mbed-TLS/mbedtls/releases/download/mbedtls-3.6.5/mbedtls-3.6.5.tar.bz2#/mbedtls-3.6.5.tar.bz2
 BuildRequires:  openssl
 BuildRequires:  pkgconfig
 BuildRequires:  python3
@@ -65,12 +66,15 @@ MicroPython tools like the mpy-cross compiler for compiling.py files to .mpy fil
 Also mpy-tool for inspecting .mpy files.
 
 %prep
-%autosetup -p1
+%autosetup -p1 -a2
 
 sed -i -e "s:/usr/lib/micropython:%{_prefix}/lib/micropython:g" "ports/unix/main.c"
 
 %define make_flags V=1 MICROPY_PY_BTREE=0 MICROPY_PY_USSL=0
 
+rm -rf lib/mbedtls
+mv mbedtls-3.6.5 lib/mbedtls
+
 %build
 # micropython
 export CFLAGS="%optflags -Wno-dangling-pointer"