# A random generator fault can compromise TLS data integrity (CVE-TODO) **Title** | A random generator fault can compromise TLS data integrity --------- | ---------------------------------------------------------- **CVE** | CVE-TODO **Date** | 7th of July, 2026 **Affects** | All versions of Mbed TLS from 3.2.0 to 3.6.6; Mbed TLS 4.0.0; Mbed TLS 4.1.0 **Not affected** | Mbed TLS 3.6.7 and later 3.6.x versions; Mbed TLS 4.1.1 and later 4.1.x version; Mbed TLS 4.2.0 and later 4.x versions **Impact** | TLS 1.3 application data integrity **Severity** | LOW **Credits** | Mohammad Seet (mhdsait101) ## Vulnerability A logic error in `ssl_tls13_prepare_new_session_ticket()` causes it to return 1 rather than a negative error code if `psa_generate_random()` fails. On some platforms, an attacker with physical or local access may glitch the entropy source, which can cause `psa_generate_random()` to fail, depending on the random generator configuration. The TLS library internally treats any nonzero value as an error, so for the most part, the impact is limited to returning the wrong error code for this error condition. However, applications may call `mbedtls_ssl_read()` or `mbedtls_ssl_write()` before the handshake is complete, in which case the functions will try to complete the handshake (and return `MBEDTLS_ERR_SSL_WANT_READ` or `MBEDTLS_ERR_SSL_WANT_WRITE`). If `ssl_tls13_prepare_new_session_ticket()` returns 1 due to the random generator failure, `mbedtls_ssl_read()` or `mbedtls_ssl_write()` returns 1, letting the application believe that one byte of application data has been read or written. With `mbedtls_ssl_read()`, the byte value that has seemingly been read is the previous content of the output buffer. ## Impact Consider an application running a TLS server, that receives a TLS 1.3 connection. Suppose that an attacker can cause the platform's entropy source to fail. If the application calls `mbedtls_ssl_read()` before the TLS handshake is over, the attacker can inject extra data before the actual data from the client. The attacker can control how many bytes are injected, but not the value of these bytes. If the application calls `mbedtls_ssl_write()` before the TLS handshake is over, the attacker can cause some initial bytes not to be sent from the server. ## Affected versions All versions of Mbed TLS 3.x from 3.2.0 to 3.6.6 are affected. Mbed TLS 4.0.0 and 4.1.0 are affected. ## Work-around Applications are only affected if they call `mbedtls_ssl_read()` or `mbedtls_ssl_write()` before the initial TLS handshake is over. The bug only affects TLS 1.3 servers. TLS 1.2 connections are not affected, and in particular renegotiation handshakes are not affected. Applications are only affected if they issue TLS 1.3 session tickets. They only do so when `MBEDTLS_SSL_SESSION_TICKETS` is enabled (it is enabled by default) and the application has configured a ticket callback with `mbedtls_ssl_conf_session_tickets_cb()`. Furthermore tickets are not issued if the application has disabled them by calling `mbedtls_ssl_conf_new_session_tickets()` with a count of 0. Applications are only affected if the random generator is configured to fail if the entropy source fails, which is the case by default, but can be avoided by setting the reseed interval to `INT_MAX`. ## Resolution Affected users should upgrade to Mbed TLS 3.6.7, Mbed TLS 4.1.1 or Mbed TLS 4.2.0 depending on which branch they are tracking. ## Fix commits We recommend that users upgrade to a release including the fix. However, if you are maintaining a branch with backported bug fixes, here are the most relevant commits. Please note that these commits may not apply cleanly to older versions of the library, and may not provide a complete fix even if they do apply. The Mbed TLS development team does not provide support outside of maintained branches. | Branch | Mbed TLS 3.6.x | Mbed TLS 4.1.x | Mbed TLS 4.x (x>1) | | ------ | -------------- | -------------- | --------------------- | | Basic fix | a5699bdb914ac6f65c867cf842911cdaa9d5618e | 465d6e9669a24ff7fe1a018fafe0e9f44aa4a48b | 465d6e9669a24ff7fe1a018fafe0e9f44aa4a48b | | With tests and documentation | 77b1a22bc31d0017b07425bba61e5a4ecb82b9c5..8b7af9d421c62497f3a4e4a8be476b7fe8323c3f | 0fe989b6b514192783c469039edd325fd0989806..b05434c1b1df14cb3b2ce52dd1200c3ba9f9b198 | 0fe989b6b514192783c469039edd325fd0989806..b05434c1b1df14cb3b2ce52dd1200c3ba9f9b198 |