# Remote buffer overflow in TLS 1.2 ECDHE-PSK client handshake (CVE-2026-50580) **Title** | Remote buffer overflow in TLS 1.2 ECDHE-PSK client handshake --------- | ---------------------------------------------------------- **CVE** | CVE-2026-50580 **Date** | 7th of July, 2026 **Affects** | Mbed TLS 1.3.10 through 3.6.6; Mbed TLS 4.0.0 through 4.1.0 **Not affected** | Mbed TLS 1.3.9 and earlier; Mbed TLS 3.6.7 and later 3.6.x versions; Mbed TLS 4.1.1 and later 4.1.x versions; Mbed TLS 4.2.0 and later versions; TF-PSA-Crypto **Impact** | A malicious TLS 1.2 server can cause a client configured with an oversized PSK identity to write past the end of the TLS output buffer when an ECDHE-PSK ciphersuite is negotiated. **Severity** | HIGH **Credits** | Karnakar Reddy (@karnakarreddi) ## Vulnerability In TLS 1.2 clients, `ssl_write_client_key_exchange()` constructs the ClientKeyExchange message for ECDHE-PSK ciphersuites by writing the PSK identity followed by the client's ephemeral EC public key. Before the fix, the ECDHE-PSK path checked that the output message buffer had enough room for the handshake header, the two-byte PSK identity length, and the PSK identity, but did not reserve room for the following one-byte EC point length field and the EC public key. If the client was configured with a sufficiently long PSK identity, this check could pass while leaving too little room for the EC public key. The subsequent public key export then computed the remaining output space from a pointer that could already be beyond the intended TLS output-content boundary. This could underflow the available-length calculation and let the public key export write past the end of the TLS output buffer in affected configurations. Applications are vulnerable when they use a TLS 1.2 client configured with an oversized static PSK identity, allow negotiation of ECDHE-PSK ciphersuites, and run with an output-buffer layout that does not leave enough spare space after `MBEDTLS_SSL_OUT_CONTENT_LEN` to absorb the overflow. The issue is exposed in particular when CBC ciphersuites are disabled, reducing the extra output-buffer padding that otherwise masks the overwrite in common configurations. ## Impact A malicious TLS 1.2 server or a TCP man-in-the-middle that negotiates an ECDHE-PSK ciphersuite with an affected client can trigger memory corruption while the client constructs its ClientKeyExchange message. Confirmed outcomes include a client-side process crash and denial of service. Depending on allocator behavior, build configuration, and application memory layout, code execution and heap corruption may be possible. For the attack to be possible, the client application must be configured with a very long PSK identity and must offer ECDHE-PSK ciphersuites. Applications that use short PSK identities are not vulnerable to this issue: the PSK identity must be long enough that the ECDHE-PSK ClientKeyExchange message can fit the handshake header and PSK identity, but not the following EC public key. ## Affected versions Mbed TLS versions 1.3.10 through 3.6.6 and 4.0.0 through 4.1.0 are affected when `MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED` is enabled and the application can use an oversized PSK identity. Mbed TLS 1.3.9 and earlier are not affected because they do not have ECDHE-PSK support. Mbed TLS 3.6.7 and later 3.6.x versions, Mbed TLS 4.1.1 and later 4.1.x versions, and Mbed TLS 4.2.0 and later versions include the fix. TF-PSA-Crypto is not affected. ## Work-around Applications can avoid the issue by using short PSK identities. For ECDHE-PSK, the ClientKeyExchange message needs 7 bytes of header and length fields, the PSK identity, and the encoded client EC public key. The encoded public key size depends on the negotiated curve; for the largest currently supported built-in curves, reserving 133 bytes for it is sufficient. Therefore, applications using those curves are not affected if the PSK identity length is at most `MBEDTLS_SSL_OUT_CONTENT_LEN - 140` bytes. For example, this allows PSK identities up to 116 bytes with `MBEDTLS_SSL_OUT_CONTENT_LEN` set to 256, or up to 884 bytes with `MBEDTLS_SSL_OUT_CONTENT_LEN` set to 1024. A 64-byte PSK identity has enough room even with a 256-byte output content buffer. Applications are also not vulnerable if they do not use TLS clients, do not enable TLS 1.2, or do not enable ECDHE-PSK ciphersuites. If applications cannot rely on PSK identity lengths being short enough or disable TLS 1.2 ECDHE-PSK support by disabling `MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED`. ## Resolution Affected users should upgrade to Mbed TLS 3.6.7 or a later 3.6.x version, Mbed TLS 4.1.1 or a later 4.1.x version, or Mbed TLS 4.2.0 or a later version. ## Fix commits We recommend that users upgrade to a release including the fix. However, if you are maintaining a branch with backported bug fixes, here are the most relevant commits. Please note that these commits may not apply cleanly to older versions of the library, and may not provide a complete fix even if they do apply. The Mbed TLS development team does not provide support outside of maintained branches. | Branch | Mbed TLS 3.6.x | TF-PSA-Crypto 1.1.x | TF-PSA-Crypto 1.x (x>1) | Mbed TLS 4.1.x | Mbed TLS 4.x (x>1) | | ------ | -------------- | ------------------- | -------------------------- | -------------- | --------------------- | | Basic fix | f9835c081f1ebed8c2ea3b23574da71c1bb66e44 | N/A | N/A | f63ca6e0af1d37ae048e00e692f21d302d0acd25 | baf449db7e31f031ed5def0fecf417122f72d3ee | | With tests and documentation | f9835c081f1ebed8c2ea3b23574da71c1bb66e44^..b961ac2cf2472829066a97f10af544af267cfca2 | N/A | N/A | f63ca6e0af1d37ae048e00e692f21d302d0acd25^..a98b95074ad1d2a73e91278a380a424f3f4df4c6 | baf449db7e31f031ed5def0fecf417122f72d3ee^..911b9b67dbf335f79253c2b66acc9767e34b3105 |