Mbed TLS 3.6.7
Description
This release of Mbed TLS provides new features, bug fixes and minor enhancements. This release includes fixes for security issues.
Security Advisories
For full details, please see the following links:
* Timing side-channel in RSA PKCS#1 v1.5 decryption
* Extended master secret calculation failure ignored
* Ignored TLS 1.3 resumption secret derivation error
* Heap corruption with early renegotiation after corrupted record in DTLS
* ChaCha20 counter overflow can reuse keystream
* TLS 1.3 early data integrity failure due to buffered plaintext across key change
* Possible buffer overflow in mbedtls_ecdh_calc_secret()
* Remote buffer overflow in TLS 1.2 ECDHE-PSK client handshake
* Side channel leak in ECC optimized modp
* Information disclosure in TLS 1.2 NewSessionTicket
* Out-of-bounds read when parsing a zero-length ECC public key
* Out-of-bounds read in TLS 1.2 EC J-PAKE ServerKeyExchange parsing
* Use-after-free in mbedtls_pkcs7_free() when reusing a PKCS7 context
* PKCS7 signed data verification accepts weak hash algorithms
* Signature algorithm restrictions not enforced on certificate chain
* Incomplete context reset in mbedtls_ssl_session_reset()
* A random generator fault can compromise TLS data integrity
* TLS 1.3 client accepts HelloRetryRequest selecting an unadvertised group
* X.509 CA bit forgery via invalid basicConstraints extension
Release Notes
Features
- SHA3-256, SHA3-384 and SHA3-512 are now accepted in the default X.509
certificate profile.
Security
- Fix a side channel in RSA PKCS#1 v1.5 decryption: error handling in the
library would reveal through timing the difference between success,
invalid padding, or output too large for buffer, giving rise to a
Bleichenbacher attack. Note that while the library now handles sensitive
errors in constant-time, RSA PKCS#1 v1.5 decryption remains inherently
dangerous, should be avoided when possible, and otherwise requires great
care in application code. Found by zhengg. CVE-2026-50587 - Added advice about compiler options in SECURITY.md.
- Fix a bug where transcript-hash computation errors during TLS 1.2
extended master secret calculation could be ignored instead of causing the
handshake to fail. This could allow a handshake to continue with a master
secret that was not correctly bound to the handshake transcript,
undermining the security guarantees of the extended master secret
extension. Report by Mathew Gretton-Dann. CVE-2026-50581 - Fix a TLS 1.3 server-side error-handling bug affecting session ticket
generation. Under rare conditions, such as memory allocation failures
while computing the resumption master secret, the server could issue
invalid session tickets instead of failing the handshake. Clients
presented with such tickets would fail session resumption and fall back to
a full handshake. In deployments relying on session resumption, repeated
occurrences could increase the frequency of full handshakes and amplify
resource consumption during periods of resource exhaustion or other
transient failures. Reported by jjfz123.
CVE-2026-50640 - Fix renegotiation failing and potentially causing a buffer overflow
in DTLS when badmac_limit is enabled. Reported by Haruki Oyama.
CVE-2026-50713. - Reject ChaCha20 operations that would make the 32-bit block counter wrap
around, which could otherwise reuse keystream and compromise
confidentiality. Reported by jiliang. CVE-2026-50584 - Fixed a TLS 1.3 record-boundary validation issue that could allow
unauthenticated plaintext data to be processed across a key change. In
servers with MBEDTLS_SSL_EARLY_DATA enabled, this could be exploited by a
man-in-the-middle attacker to cause loss of 0-RTT early data.
Reported by Ben Smyth. - Fix a possible buffer overflow in mbedtls_ecdh_calc_secret(): when the
provided output buffer is too small, sometimes (depending on the value of
the computed shared secret), the function would not return an error as it
should, but instead write past the end of the buffer. Reported by Eva
Crystal (0xiviel) from XSource Security. CVE-2026-35336. - Fix a remote buffer overflow in (D)TLS with ECDHE-PSK cipher suites when
CBC is disabled. Reported by Karnakar Reddy. CVE-ID-50580 - Fix a side channel in ECC computations that allows a powerful local
attacker (typically, untrusted OS attacking a secure enclave) to fully
recover long-term secret keys. Found and reported by Alejandro Cabrera
Aldaya from Tampere University. CVE-2026-54435 - Fix a potential information disclosure in TLS 1.2 servers using session
tickets. If the session ticket write callback failed without setting the
lifetime output parameter, Mbed TLS could send 4 bytes of uninitialized
stack memory to the peer in the NewSessionTicket message. Fixes #1570.
Reported by James Love. CVE-2026-50586. - Fix timing side channel in RSA key generation, prime generation and
primality testing, on platforms where division is not constant-time. At
this point this side channel is not known to be exploitable. Reported by
Bhargava Shastry, Ethereum Foundation. - Fix a 1-byte buffer overread when parsing a malformed ECC public key
in the PK module. CVE-2026-50583 - Fix an out-of-bounds read when parsing TLS 1.2 ECJPAKE ServerKeyExchange
messages. Reported-by Biniam Demissie.
CVE-2026-50588 - Fix a use-after-free/double-free risk in mbedtls_pkcs7_free() when reusing
an mbedtls_pkcs7 context across parse -> free -> parse -> free cycles. The
function now resets the context after freeing it, ensuring stale
signed_data.signers.next pointers cannot be walked by a later free
operation. CVE-2026-50579 - PKCS7 now rejects weak hash algorithms (RIPEMD160, MD5, SHA-1, SHA-224,
SHA3-224) on signature verification. The new configuration option
MBEDTLS_PKCS7_ALLOW_WEAK_SIGNATURES allows to keep using weak hash
algorithms in PKCS7 for backward compatibility purposes. - Improved documentation of mbedtls_ssl_conf_sig_algs() to emphasize that
this function only sets signature algorithms that are enforced during
TLS key exchange and not on certificate verification. Reported by
Xiangdong Li, Beijing University of Posts and Telecommunications (BUPT).
CVE-2026-54441 - Ensure 'dtls_srtp_info' field from 'mbedtls_ssl_context'
is properly zeroized when mbedtls_ssl_session_reset() is called. This
could cause incorrect DTLS-SRTP parameter inheritance for applications
reusing an SSL context.
Reported by jjfz123. CVE-2026-50585. - Fix a bug where mbedtls_ssl_read() and mbedtls_ssl_write() could return
1 instead of an error code if the random generator failed when a server
called these functions before the end of a TLS 1.3 handshake.
Reported by Mohammad Seet (mhdsait101). - Fix TLS 1.3 clients to reject a HelloRetryRequest whose selected group was
not advertised in the original ClientHello. Reported independently by
Din Asotić / Xiangdong Li, Beijing University of Posts and
Telecommunications (BUPT), and NVIDIA Project Vanessa.
CVE-2026-25832. - Fix two bugs in the X.509 certificate parser that caused some inputs
with a malformed basicConstraints extension to be accepted. This
could have dangerous results, in particular causing some certificates
to be parsed as CA certificates when other X.509 implementations would
parse them as end-entity certificates. Reported by Mohammad Seet
(mhdsait101), Pablo Ruiz García and NVIDIA Project Vanessa. CVE-2026-49300
Bugfix
- Fix a TLS 1.2 regression that caused clients to reject valid
ServerKeyExchange signatures using RSA-PSS signature algorithms.
Fixes #10668. - Fix a problem in library/alignment.h where the Zephyr Project use
a pre-defined macro '__packed' which collides with the IAR keyword
'__packed', causing the typedefs of unaligned types to remain aligned.
Fixes mbedtls issue #10334 - Reject malformed TLS 1.3 serialized sessions instead of accepting
unterminated strings or extra trailing data. - Reject serialized SSL contexts whose DTLS Connection ID length exceeds
the maximum supported size, instead of overflowing the internal buffer. - Fix bug in configurations with MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED that
prevented re-use of an mbedtls_ecdh_context for static ECDH: our secret key
was wiped after its first use to compute a shared secret. - Fixed documentation of mbedtls_ssl_set_cid(): the set CID configuration
is applied to all subsequent handshakes, not just to the next one. - Reject malformed X.509 CSRs where the extensionRequest attribute
wrappers do not exactly contain the requested extensions.
Changes
- X.509 certificates with a basicConstraints extension starting with an
INTEGER field are no longer accepted. According to RFC 5280, such
certificates are syntactically valid and the first field is the
pathLenConstraint value, but certificate authorities must not emit such
certificates. Mbed TLS interpreted it as a cA value, which was nonstandard
and dangerous.
Who should update
We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.
Note
❕ mbedtls-3.6.7.tar.bz2 is our official release file. source.tar.gz and source.zip are automatically generated snapshots that GitHub is generating. They do not include submodules or generated files, and cannot be configured.
Checksum
The SHA256 hashes for the archives are:
a7e8bcbec0e6f761b4af24f25677626b35f762f68eef79c08677a363212d11f6