diff --git a/ChangeLog.d/unterminated-string-initialization.txt b/ChangeLog.d/unterminated-string-initialization.txt
new file mode 100644
index 0000000000..75a72cae6b
--- /dev/null
+++ b/ChangeLog.d/unterminated-string-initialization.txt
@@ -0,0 +1,3 @@
+Bugfix
+   * Silence spurious -Wunterminated-string-initialization warnings introduced
+     by GCC 15. Fixes #9944.
diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c
index dbc703a6c1..865e02c2dc 100644
--- a/library/ssl_tls13_keys.c
+++ b/library/ssl_tls13_keys.c
@@ -80,7 +80,8 @@ struct mbedtls_ssl_tls13_labels_struct const mbedtls_ssl_tls13_labels =
  *            the HkdfLabel structure on success.
  */
 
-static const char tls13_label_prefix[6] = "tls13 ";
+/* We need to tell the compiler that we meant to leave out the null character. */
+static const char tls13_label_prefix[6] MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING = "tls13 ";
 
 #define SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN(label_len, context_len) \
     (2                     /* expansion length           */ \
diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h
index 14f6e4876c..1509e9a4d4 100644
--- a/library/ssl_tls13_keys.h
+++ b/library/ssl_tls13_keys.h
@@ -40,8 +40,9 @@
 
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
 
+/* We need to tell the compiler that we meant to leave out the null character. */
 #define MBEDTLS_SSL_TLS1_3_LABEL(name, string)       \
-    const unsigned char name    [sizeof(string) - 1];
+    const unsigned char name    [sizeof(string) - 1] MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING;
 
 union mbedtls_ssl_tls13_labels_union {
     MBEDTLS_SSL_TLS1_3_LABEL_LIST
diff --git a/tests/psa-client-server/psasim/src/aut_psa_aead_encrypt_decrypt.c b/tests/psa-client-server/psasim/src/aut_psa_aead_encrypt_decrypt.c
index ca090ccc66..71173d2b52 100644
--- a/tests/psa-client-server/psasim/src/aut_psa_aead_encrypt_decrypt.c
+++ b/tests/psa-client-server/psasim/src/aut_psa_aead_encrypt_decrypt.c
@@ -4,6 +4,21 @@
  */
 
 #include "psa/crypto.h"
+/*
+ * Temporary hack: psasim’s Makefile only does:
+ *  -Itests/psa-client-server/psasim/include
+ *  -I$(MBEDTLS_ROOT_PATH)/include
+ *  -I$(MBEDTLS_ROOT_PATH)/tf-psa-crypto/include
+ *  -I$(MBEDTLS_ROOT_PATH)/tf-psa-crypto/drivers/builtin/include
+ * None of those cover tf-psa-crypto/core, so we rely on the
+ * “-I$(MBEDTLS_ROOT_PATH)/include” entry plus a parent-relative
+ * include "../tf-psa-crypto/core/common.h" in order to pull in common.h here,
+ * which in turn gets MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING (to silence the
+ * new GCC-15 unterminated-string-initialization warning).
+ * See GitHub issue #10223 for the proper long-term fix.
+ * https://github.com/Mbed-TLS/mbedtls/issues/10223
+ */
+#include "../tf-psa-crypto/core/common.h"
 #include <string.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -25,7 +40,9 @@ int psa_aead_encrypt_decrypt_main(void)
     uint8_t encrypt[BUFFER_SIZE] = { 0 };
     uint8_t decrypt[BUFFER_SIZE] = { 0 };
     const uint8_t plaintext[] = "Hello World!";
-    const uint8_t key_bytes[32] = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
+    /* We need to tell the compiler that we meant to leave out the null character. */
+    const uint8_t key_bytes[32] MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING =
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
     uint8_t nonce[PSA_AEAD_NONCE_LENGTH(PSA_KEY_TYPE_AES, PSA_ALG_CCM)];
     size_t nonce_length = sizeof(nonce);
     size_t ciphertext_length;
diff --git a/tests/psa-client-server/psasim/src/aut_psa_cipher_encrypt_decrypt.c b/tests/psa-client-server/psasim/src/aut_psa_cipher_encrypt_decrypt.c
index a923feb618..25c0b8a61e 100644
--- a/tests/psa-client-server/psasim/src/aut_psa_cipher_encrypt_decrypt.c
+++ b/tests/psa-client-server/psasim/src/aut_psa_cipher_encrypt_decrypt.c
@@ -4,6 +4,7 @@
  */
 
 #include "psa/crypto.h"
+#include "../tf-psa-crypto/core/common.h"
 #include <string.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -25,7 +26,9 @@ int psa_cipher_encrypt_decrypt_main(void)
     uint8_t original[BUFFER_SIZE] = { 0 };
     uint8_t encrypt[BUFFER_SIZE] = { 0 };
     uint8_t decrypt[BUFFER_SIZE] = { 0 };
-    const uint8_t key_bytes[32] = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
+    /* We need to tell the compiler that we meant to leave out the null character. */
+    const uint8_t key_bytes[32] MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING =
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
     size_t encrypted_length;
     size_t decrypted_length;
 
diff --git a/tests/suites/test_suite_ssl_decrypt.function b/tests/suites/test_suite_ssl_decrypt.function
index 909e6cfa44..37265def88 100644
--- a/tests/suites/test_suite_ssl_decrypt.function
+++ b/tests/suites/test_suite_ssl_decrypt.function
@@ -37,7 +37,8 @@ void ssl_decrypt_null(int hash_id)
     mbedtls_ssl_write_version(rec_good.ver,
                               MBEDTLS_SSL_TRANSPORT_STREAM,
                               version);
-    const char sample_plaintext[3] = "ABC";
+    /* We need to tell the compiler that we meant to leave out the null character. */
+    const char sample_plaintext[3] MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING = "ABC";
     mbedtls_ssl_context ssl;
     mbedtls_ssl_init(&ssl);
     uint8_t *buf = NULL;