# Out-of-bounds read when parsing a zero-length ECC public key (CVE-2026-50583) **Title** | Out-of-bounds read when parsing a zero-length ECC public key --------- | ------------------------------------------------------------ **CVE** | CVE-2026-50583 **Date** | 7th of July, 2026 **Affects** | All versions of Mbed TLS from 3.5.0 to 3.6.6 with driver-only ECC; all versions of Mbed TLS from 4.0.0 to 4.1.0; all versions of TF-PSA-Crypto up to 1.1.0 **Not affected** | Mbed TLS up to 3.4.1; Mbed TLS 3.5.0 through 3.6.6 with built-in ECC; Mbed TLS 3.6.7 and later 3.6.x versions; Mbed TLS 4.1.1 and later 4.1.x versions; Mbed TLS 4.2.0 and later 4.x versions; TF-PSA-Crypto 1.2.0 and later 1.x versions **Impact** | Out-of-bounds read while parsing malformed ECC key material, potentially causing a crash **Severity** | LOW ## Vulnerability When parsing malformed externally supplied ECC key material, Mbed TLS or TF-PSA-Crypto can read one byte past the supplied public-key buffer. The malformed input can be an ASN.1 SubjectPublicKeyInfo whose ECC public-key BIT STRING contains no ECPoint payload, or the optional `publicKey` field of a SEC1 ECPrivateKey. In Mbed TLS, this issue can be reached through APIs that parse ECC public keys, EC private keys, certificates or CSRs, including `mbedtls_pk_parse_public_key()`, `mbedtls_pk_parse_key()`, `mbedtls_x509_crt_parse()` and `mbedtls_x509_csr_parse()`. Internally, the missing length check is in `mbedtls_pk_ecc_set_pubkey()`, which inspects the first byte of the encoded public key before validating that the supplied public-key buffer is non-empty. In Mbed TLS 3.x, this code path is only used when `MBEDTLS_PK_USE_PSA_EC_DATA` is defined. Builds using the legacy ECP-backed representation are not affected. Mbed TLS 4.x is affected through its TF-PSA-Crypto submodule. ## Impact Out-of-bounds read while parsing malformed ECC key material, potentially causing a crash. ## Affected versions All versions of TF-PSA-Crypto up to 1.1.0 are affected. All versions of Mbed TLS from 3.5.0 to 3.6.6 are affected in configurations where `MBEDTLS_USE_PSA_CRYPTO` and the PK module are enabled, PSA supports ECC through a driver, and built-in ECC support is disabled. All versions of Mbed TLS from 4.0.0 to 4.1.0 are affected. ## Work-around Applications using vulnerable versions should avoid parsing ECC public keys, certificates, CSRs or EC private keys unless the input has first been validated to reject zero-length ECC public-key encodings. ## Resolution Affected users should upgrade to TF-PSA-Crypto 1.1.1 or a later 1.1.x version, or to TF-PSA-Crypto 1.2.0 or a later 1.x version. Affected users should upgrade to Mbed TLS 3.6.7 or a later 3.6.x version, or to Mbed TLS 4.1.1 or a later 4.1.x version, or to Mbed TLS 4.2.0 or a later 4.x version. ## Fix commits We recommend that users upgrade to a release including the fix. However, if you are maintaining a branch with backported bug fixes, here are the most relevant commits. Please note that these commits may not apply cleanly to older versions of the library, and may not provide a complete fix even if they do apply. The TF-PSA-Crypto and Mbed TLS development team does not provide support outside of maintained branches. | Branch | Mbed TLS 3.6.x | TF-PSA-Crypto 1.1.x | TF-PSA-Crypto 1.x (x>1) | Mbed TLS 4.1.x | Mbed TLS 4.x (x>1) | | ------ | -------------- | ------------------- | -------------------------- | -------------- | --------------------- | | Basic fix | 0e2d7037db4048dbf1c194508c07384a818261d5 | c99519080302cbcf19ad61d57c1d6fc614608336 | e7183dbf9789834f89a5ed41f2156dcf34f130c3 | N/A | N/A | | With tests and documentation | aecc26ac7c523e741dd62d94890278326fe7c230..3208173d3d6728b6d1eb25a1a448067c781cbb69 | de89cfc02ecb5a4ae67da155ebace3eff83555b2..32a2f6bb62dd3837951ccd546cb62638d56cbf61 | feb70754b0a8d79f46d2c5f3eb8348c2212918c8..718f15d851316cbed7242b3a07b31c1712c51ef1 | N/A | N/A |