diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls/0001-c_build_helper-Split-cc-command-line.patch b/meta-networking/recipes-connectivity/mbedtls/mbedtls/0001-c_build_helper-Split-cc-command-line.patch
new file mode 100644
index 0000000000..adddb7ad8e
--- /dev/null
+++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls/0001-c_build_helper-Split-cc-command-line.patch
@@ -0,0 +1,33 @@
+From 178e089683bf42097ac6d27522820d07483bc6bd Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Thu, 23 Apr 2026 08:54:02 +0200
+Subject: [PATCH] c_build_helper: Split cc command line
+
+Optionally the CC/HOSTCC environment variable can hold the command to
+invoke the C compiler, however this command can also contain extra
+arguments, not only the binary name. In this particular case Python
+was treating the whole value as a single binary name, and was trying
+to execute as such (e.g. "cc -arg1 -arg2" instead of "cc" and the arguments
+separately), which results in failure.
+
+Split the compiler command into its components to invoke it correctly.
+
+Upstream-Status: Submitted [https://github.com/Mbed-TLS/mbedtls-framework/pull/301]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ scripts/mbedtls_framework/c_build_helper.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/mbedtls_framework/c_build_helper.py b/scripts/mbedtls_framework/c_build_helper.py
+index 59bb326e2..85dbb628f 100644
+--- a/tf-psa-crypto/framework/scripts/mbedtls_framework/c_build_helper.py
++++ b/tf-psa-crypto/framework/scripts/mbedtls_framework/c_build_helper.py
+@@ -98,7 +98,7 @@ def compile_c_file(c_filename, exe_filename, include_dirs):
+     cc = os.getenv('HOSTCC', None)
+     if cc is None:
+         cc = os.getenv('CC', 'cc')
+-    cmd = [cc]
++    cmd = cc.split()
+ 
+     proc = subprocess.Popen(cmd,
+                             stdout=subprocess.DEVNULL,
diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls/0001-use-qemuwrapper-to-run-cross-compiled-binary.patch b/meta-networking/recipes-connectivity/mbedtls/mbedtls/0001-use-qemuwrapper-to-run-cross-compiled-binary.patch
new file mode 100644
index 0000000000..a9e8bb2ed9
--- /dev/null
+++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls/0001-use-qemuwrapper-to-run-cross-compiled-binary.patch
@@ -0,0 +1,29 @@
+From 46f0ea3eb35e8d0d33e88298a9e7c3dbdd49ec17 Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Thu, 23 Apr 2026 09:14:40 +0200
+Subject: [PATCH] use qemuwrapper to run cross-compiled binary
+
+The build process executes a compiled binary to get some details,
+however this results in a failure in case of cross-compiling.
+
+Run it with qemuwrapper, that is created in the recipe.
+
+Upstream-Status: Inappropriate [cross-compile specific]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ scripts/mbedtls_framework/c_build_helper.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/mbedtls_framework/c_build_helper.py b/scripts/mbedtls_framework/c_build_helper.py
+index 59bb326e2..5c4c211ee 100644
+--- a/tf-psa-crypto/framework/scripts/mbedtls_framework/c_build_helper.py
++++ b/tf-psa-crypto/framework/scripts/mbedtls_framework/c_build_helper.py
+@@ -169,7 +169,7 @@ def get_c_expression_values(
+                              .format(caller, c_name))
+         else:
+             os.remove(c_name)
+-        output = subprocess.check_output([exe_name])
++        output = subprocess.check_output(['../../../qemuwrapper', exe_name])
+         return output.decode('ascii').strip().split('\n')
+     finally:
+         remove_file_if_exists(exe_name)
diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_4.1.0.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_4.1.0.bb
new file mode 100644
index 0000000000..614016b0f1
--- /dev/null
+++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_4.1.0.bb
@@ -0,0 +1,88 @@
+SUMMARY = "Lightweight crypto and SSL/TLS library"
+DESCRIPTION = "mbedtls is a lean open source crypto library          \
+for providing SSL and TLS support in your programs. It offers        \
+an intuitive API and documented header files, so you can actually    \
+understand what the code does. It features:                          \
+                                                                     \
+ - Symmetric algorithms, like AES, Blowfish, Triple-DES, DES, ARC4,  \
+   Camellia and XTEA                                                 \
+ - Hash algorithms, like SHA-1, SHA-2, RIPEMD-160 and MD5            \
+ - Entropy pool and random generators, like CTR-DRBG and HMAC-DRBG   \
+ - Public key algorithms, like RSA, Elliptic Curves, Diffie-Hellman, \
+   ECDSA and ECDH                                                    \
+ - SSL v3 and TLS 1.0, 1.1 and 1.2                                   \
+ - Abstraction layers for ciphers, hashes, public key operations,    \
+   platform abstraction and threading                                \
+"
+
+HOMEPAGE = "https://www.trustedfirmware.org/projects/mbed-tls/"
+BUGTRACKER = "https://github.com/Mbed-TLS/mbedtls/issues"
+
+LICENSE = "Apache-2.0 | GPL-2.0-or-later"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=379d5819937a6c2f1ef1630d341e026d"
+
+SECTION = "libs"
+
+SRC_URI = "gitsm://github.com/Mbed-TLS/mbedtls.git;protocol=https;branch=mbedtls-4.1;tag=v${PV} \
+           file://run-ptest \
+           file://0001-c_build_helper-Split-cc-command-line.patch \
+           "
+
+SRC_URI:append:class-target = " file://0001-use-qemuwrapper-to-run-cross-compiled-binary.patch"
+
+SRCREV = "0fe989b6b514192783c469039edd325fd0989806"
+
+DEPENDS += "python3-jinja2-native python3-jsonschema-native qemu-native"
+
+UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)"
+
+inherit cmake ptest python3native qemu
+
+PACKAGECONFIG ??= "shared-libs programs ${@bb.utils.contains('PTEST_ENABLED', '1', 'tests', '', d)}"
+PACKAGECONFIG[shared-libs] = "-DUSE_SHARED_MBEDTLS_LIBRARY=ON,-DUSE_SHARED_MBEDTLS_LIBRARY=OFF"
+PACKAGECONFIG[programs] = "-DENABLE_PROGRAMS=ON,-DENABLE_PROGRAMS=OFF"
+PACKAGECONFIG[werror] = "-DMBEDTLS_FATAL_WARNINGS=ON,-DMBEDTLS_FATAL_WARNINGS=OFF"
+PACKAGECONFIG[tests] = "-DENABLE_TESTING=ON,-DENABLE_TESTING=OFF"
+
+PROVIDES += "polarssl"
+RPROVIDES:${PN} = "polarssl"
+
+PACKAGES =+ "${PN}-programs"
+FILES:${PN}-programs = "${bindir}/"
+
+BBCLASSEXTEND = "native nativesdk"
+
+CVE_PRODUCT = "mbed_tls"
+
+do_configure:prepend() {
+	# during building tf-psa-crypto/framework/scripts/mbedtls_framework/c_build_helper.py
+	# runs some of the cross-compiled binaries.
+
+	qemu_binary="${@qemu_wrapper_cmdline(d, d.getVar('STAGING_DIR_HOST'), [d.expand('${STAGING_DIR_HOST}${libdir}'),d.expand('${STAGING_LIBDIR}')])}"
+	cat > ${WORKDIR}/qemuwrapper << EOF
+#!/bin/sh
+$qemu_binary "\$@"
+EOF
+
+	chmod +x ${WORKDIR}/qemuwrapper
+}
+
+# Strip host paths from autogenerated test files
+do_compile:append() {
+	sed -i 's+${S}/++g' ${B}/tests/*.c 2>/dev/null || :
+	sed -i 's+${B}/++g' ${B}/tests/*.c 2>/dev/null || :
+}
+
+# Export source files/headers needed by Arm Trusted Firmware
+sysroot_stage_all:append() {
+	sysroot_stage_dir "${S}/library" "${SYSROOT_DESTDIR}/usr/share/mbedtls-source/library"
+	sysroot_stage_dir "${S}/include" "${SYSROOT_DESTDIR}/usr/share/mbedtls-source/include"
+}
+
+do_install_ptest () {
+	install -d ${D}${PTEST_PATH}/tests
+	install -d ${D}${PTEST_PATH}/framework
+	cp -f ${B}/tests/test_suite_* ${D}${PTEST_PATH}/tests/
+	find ${D}${PTEST_PATH}/tests/ -type f -name "*.c" -delete
+	cp -fR ${S}/framework/data_files ${D}${PTEST_PATH}/framework/
+}