# Out-of-bounds read in TLS 1.2 EC J-PAKE ServerKeyExchange parsing (CVE-2026-50588) **Title** | Out-of-bounds read in TLS 1.2 EC J-PAKE ServerKeyExchange parsing --------- | ---------------------------------------------------------- **CVE** | CVE-2026-50588 **Date** | 7th of July, 2026 **Affects** | Mbed TLS 3.3.0 through 3.6.6; Mbed TLS 4.0.0 through 4.1.0 **Not affected** | Mbed TLS before 3.3.0; Mbed TLS 3.6.7 and later 3.6.x versions; Mbed TLS 4.1.1 and later 4.1.x versions; Mbed TLS 4.2.0 and later 4.x versions **Impact** | A malicious TLS 1.2 server can cause a client to read outside the validated ServerKeyExchange message while parsing an EC J-PAKE key exchange **Severity** | LOW **Credits** | Biniam Demissie ## Vulnerability In TLS 1.2 clients, when parsing a ServerKeyExchange message for the EC J-PAKE ciphersuite, Mbed TLS read the first three bytes of the EC J-PAKE key exchange parameters before checking that three bytes were present in the message body. These bytes encode the curve type and the TLS named curve identifier. If a malicious TLS 1.2 server selected the `MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8` ciphersuite and sent a truncated ServerKeyExchange message, the client could read beyond the validated end of the current handshake message. If the bytes read beyond the message happened to match the expected curve encoding, subsequent EC J-PAKE parsing could consume a larger amount of data outside the message boundary. This vulnerability only affects builds with `MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED` enabled. EC J-PAKE support is disabled in the default Mbed TLS configuration. ## Impact A malicious TLS 1.2 server can trigger an out-of-bounds read in an affected client during the handshake. In most configurations, the read remains within the TLS input buffer and reads stale data from outside the current handshake message. In configurations where the TLS input buffer is too small for an EC J-PAKE handshake, the read can go past the end of the heap buffer. The overread data is not copied back to the peer. The practical information leakage is limited to whether the overread data is accepted by later parsing, so the severity is LOW. ## Affected versions Mbed TLS versions 3.3.0 through 3.6.6 and 4.0.0 through 4.1.0 are affected when `MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED` is enabled. Mbed TLS versions before 3.3.0 do not have the affected EC J-PAKE ServerKeyExchange parsing code. Mbed TLS 3.6.7 and later 3.6.x versions, Mbed TLS 4.1.1 and later 4.1.x versions, and Mbed TLS 4.2.0 and later 4.x versions, are not affected. ## Work-around Disable TLS 1.2 EC J-PAKE support by disabling `MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED`, or ensure that clients do not offer the `MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8` ciphersuite. Applications that are built without `MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED`, do not use TLS clients, only use TLS 1.3, or never allow negotiation of the EC J-PAKE ciphersuite are not vulnerable. ## Resolution Affected users should upgrade to Mbed TLS 3.6.7 or a later 3.6.x version, Mbed TLS 4.1.1 or a later 4.1.x version, or Mbed TLS 4.2.0 or a later version. ## Fix commits We recommend that users upgrade to a release including the fix. However, if you are maintaining a branch with backported bug fixes, here are the most relevant commits. Please note that these commits may not apply cleanly to older versions of the library, and may not provide a complete fix even if they do apply. The Mbed TLS development team does not provide support outside of maintained branches. | Branch | Mbed TLS 3.6.x | TF-PSA-Crypto 1.1.x | TF-PSA-Crypto 1.x (x>1) | Mbed TLS 4.1.x | Mbed TLS 4.x (x>1) | | ------ | -------------- | ------------------- | -------------------------- | -------------- | --------------------- | | Basic fix | e3be807e5c5ce216b8b832b1e746e4ef5c0765bf | N/A | N/A | 1ac3989db6cd0416f562764e3bfacca62ce4875c | 08e3e3f81e6c5703c3afcbfcb47c600a2b10afcb | | With tests and documentation | e3be807e5c5ce216b8b832b1e746e4ef5c0765bf^..e1351f7881991951049fdcca230edd85dcde6f90 | N/A | N/A | 1ac3989db6cd0416f562764e3bfacca62ce4875c^..1a5e328377af66a1795ebf9440e79592bffa2a71 | 08e3e3f81e6c5703c3afcbfcb47c600a2b10afcb^..1aa125454601ef3492c285d2122518ac3fa3b6c2 |