# Signature algorithm restrictions not enforced on certificate chain (CVE-2026-54441) **Title** | Signature algorithm restrictions not enforced on certificate chain --------- | ---------------------------------------------------------- **CVE** | CVE-2026-54441 **Date** | 7th of July, 2026 **Affects** | Mbed TLS up to 3.6.6 and earlier; Mbed TLS 4.0.0 and 4.1.0 **Not affected** | Mbed TLS 3.6.7 and later, Mbed TLS 4.1.1 and later, Mbed TLS 4.2.0 and later **Impact** | An application may accept certificate chains signed with algorithms that were not intended to be allowed **Severity** | LOW **Credits** | Xiangdong Li, Beijing University of Posts and Telecommunications (BUPT) ## Vulnerability Mbed TLS provides two separate API functions that affect which signature algorithms are accepted during a TLS handshake: - `mbedtls_ssl_conf_sig_algs()`: configures the list of signature algorithms advertised in the TLS `signature_algorithms` extension, which is enforced for handshake signatures. - `mbedtls_ssl_conf_cert_profile()`: controls which signature algorithms are accepted when verifying the certificate chain. In the TLS 1.3 protocol, the `signature_algorithms` extension covers both handshake signatures and certificate chain signatures unless a separate `signature_algorithms_cert` extension is also sent. Mbed TLS does not send `signature_algorithms_cert`, so the same list is advertised for both purposes. This makes it reasonable to expect that `mbedtls_ssl_conf_sig_algs()` would also restrict which signature algorithms are accepted in the certificate chain. However, Mbed TLS enforces these two settings independently: `mbedtls_ssl_conf_sig_algs()` only affects handshake signatures, while certificate chain verification is governed solely by `mbedtls_ssl_conf_cert_profile()`. The documentation for `mbedtls_ssl_conf_sig_algs()` did not make this separation explicit, which could lead developers to believe that configuring `sig_algs` alone is sufficient to enforce signature algorithm restrictions across the entire handshake, including certificate verification. An application is vulnerable if it calls `mbedtls_ssl_conf_sig_algs()` to configure a restricted set of algorithms and assumes that the certificate chain will also be verified against that restriction, without also calling `mbedtls_ssl_conf_cert_profile()` with a suitably restrictive profile. ## Impact A peer may present a certificate chain signed with a signature algorithm that the application intended to reject. If the application relies solely on `mbedtls_ssl_conf_sig_algs()` and does not configure a certificate profile via `mbedtls_ssl_conf_cert_profile()`, the certificate chain signature will be accepted regardless of the configured `sig_algs`. This may allow a peer to use certificates with signature algorithms the developer intended to forbid, potentially weakening the security posture of the application. ## Affected versions Mbed TLS 3.6.6 and earlier; Mbed TLS 4.0.0 and 4.1.0. ## Resolution Applications can protect themselves by explicitly calling `mbedtls_ssl_conf_cert_profile()` with an X.509 certificate profile that restricts the accepted signature algorithms to match the intended policy. For example, use one of the built-in profiles such as `mbedtls_x509_crt_profile_suiteb` or define a custom `mbedtls_x509_crt_profile` structure. ## Fix commits Updated documentation can be found at following commits: | Branch | Mbed TLS 3.6.x | Mbed TLS 4.1.x | Mbed TLS 4.x (x>1) | | ------ | -------------- | ------------------- | -------------------------- | | Updated documentation | aecc26ac7c523e741dd62d94890278326fe7c230..b9c8c9c4275bf8e5e88aa9e1e8f6d518fa78367b | b2e36d7d7aa9968087eac0a40457783c61c90720..bd57fb5e8afe003ed24a2ae9e8ca487ecdc4c3f4 | 4a1d150cdf441d0b1d984ea825a21d5770a9f94a..147ad72669797947bef12a0bdbe5dec0ed805c58 |