ChaCha20 counter overflow can reuse keystream (CVE-2026-50584)
Title |
ChaCha20 counter overflow can reuse keystream |
|---|---|
CVE |
CVE-2026-50584 |
Date |
7th of July, 2026 |
Affects |
Mbed TLS 2.12.0 through 3.6.6; Mbed TLS 4.0.0-beta through 4.1.0; TF-PSA-Crypto 1.0.0-beta through 1.1.0 |
Not affected |
Mbed TLS before 2.12.0; Mbed TLS 3.6.7 and later 3.6.x; Mbed TLS 4.1.1 and later 4.1.x; Mbed TLS 4.2.0 and later; TF-PSA-Crypto 1.1.1 and later 1.1.x; TF-PSA-Crypto 1.2.0 and later |
Impact |
Reuse of ChaCha20 keystream can compromise confidentiality, and excessive ChaCha20-Poly1305 input can expose the Poly1305 one-time key and allow message forgery. |
Severity |
MEDIUM |
Credits |
jiliang |
Vulnerability
The ChaCha20 implementation in Mbed TLS and TF-PSA-Crypto did not reject
operations that made the 32-bit ChaCha20 block counter wrap around. The counter
could silently advance from 0xffffffff to 0x00000000, causing the same
keystream blocks to be generated again for a single key and nonce.
ChaCha20 has a 64-byte block size and a 32-bit block counter, so at most
2^32 blocks, or 256 GB, may be processed for one key and nonce. Affected
versions did not consistently enforce this limit in the low-level ChaCha20 API,
the ChaCha20-Poly1305 API, or the PSA AEAD API.
Applications are vulnerable if they can process more than 256 GB of ChaCha20
data with the same key and nonce, or if they use the low-level
mbedtls_chacha20_crypt() API with a starting counter and input length that
crosses the end of the 32-bit counter range. For example, an operation starting
at counter 0xffffffff with more than one ChaCha20 block of input could wrap
and reuse keystream from the beginning of the counter space.
For ChaCha20-Poly1305, counter 0 is reserved for deriving the one-time Poly1305 key, and encryption normally starts at counter 1. If an overlong message makes the ChaCha20 counter wrap to 0, the implementation can expose the same block-0 keystream material that is used as the Poly1305 key. If an attacker can know or control the corresponding plaintext, they can recover the one-time Poly1305 key for that nonce and forge authenticators for messages under the same key and nonce. This is a loss of authenticity for ChaCha20-Poly1305.
Impact
If an application encrypts enough data for the ChaCha20 counter to wrap while reusing the same key and nonce, ciphertext confidentiality can be compromised because keystream bytes are reused. In ChaCha20-Poly1305, processing an overlong message can also expose the Poly1305 one-time key for the nonce, allowing message forgery.
The practical exposure is limited to applications that process very large messages or streams, or that directly request ChaCha20 output close to the end of the counter range. Applications that never process such large amounts of data under a single key and nonce are not affected in practice.
Affected versions
Mbed TLS 2.12.0 through 3.6.6, and Mbed TLS 4.0.0-beta through 4.1.0, are affected. Mbed TLS 3.6.7, Mbed TLS 4.1.1, and Mbed TLS 4.2.0 contain the fix. Earlier Mbed TLS releases, including Mbed TLS 2.11.0, are not affected because they did not include ChaCha20 or ChaCha20-Poly1305 support.
TF-PSA-Crypto 1.0.0-beta through 1.1.0 is affected. TF-PSA-Crypto 1.1.1 and TF-PSA-Crypto 1.2.0 contain the fix.
Mbed TLS TLS protocol code is not affected as it does not expose a way to exceed the ChaCha20-Poly1305 record limits under a single key and nonce.
Work-around
Applications using an affected library version should ensure that no ChaCha20
operation processes more than 256 GB with the same key and nonce. Applications
should also ensure that direct uses of mbedtls_chacha20_crypt() do not combine
a starting counter and input length that cross the 32-bit block counter limit.
For ChaCha20-Poly1305, applications should impose a stricter per-message limit of 256 GB - 64 bytes and must not encrypt or decrypt input that would cause the underlying ChaCha20 counter to wrap. If a stream can approach this limit, rekey before the limit is reached.
Applications are not vulnerable in practice if they never process enough data with one ChaCha20 key and nonce for the 32-bit block counter to wrap.
Resolution
Affected users should upgrade to Mbed TLS 3.6.7 or a later 3.6.x version, TF-PSA-Crypto 1.1.1 or a later 1.1.x version, or TF-PSA-Crypto 1.2.0 or a later version.
The fix makes ChaCha20 and ChaCha20-Poly1305 operations fail when processing the requested input would wrap the 32-bit block counter.
Fix commits
We recommend that users upgrade to a release including the fix. However, if you are maintaining a branch with backported bug fixes, here are the most relevant commits. Please note that these commits may not apply cleanly to older versions of the library, and may not provide a complete fix even if they do apply. The Mbed TLS development team does not provide support outside of maintained branches.
Branch |
Mbed TLS 3.6.x |
TF-PSA-Crypto 1.1.x |
TF-PSA-Crypto 1.x (x>1) |
Mbed TLS 4.1.x |
Mbed TLS 4.x (x>1) |
|---|---|---|---|---|---|
Basic fix |
609b1c51b1a6fdb23210075607529a0505e0c4f9 56b050d7386440555bf2077ea0f0334b0bae1ee9 7bf0215f8d2a5b4ca5b56c4692ef09176a342e91 4ee90fe0e626c5d7ed06f803ff3a4470172659ac |
7f54f62dd153ca3517956ffe0f21ff8e40d4f5c2 43899e4ae6f664ac568eedf2737d2aaf0e2782dd 92c6e9e027714c76fe4964923e81108405681509 ba70d7119b2f93b095f445904c9e6b63ca939b33 539b6749e8bd9107a4be176df53e1bcebbb21e45 b7166633d54719586ef49ef332c09f195159114d |
0a0770afe00ff18ebaa2b9d6a59e55af85f3c77e f27067bf2826e33c34422f60d5ed20192ac12bfc 001716ed1ebef1f0f7f59a9c1fbc65c3b3ee70ab f5197f0e194f3903bb0fc134d30036efec2593b9 af6e027450892b0ff36a14a3b50be93ce0f1cfd0 8de9f6aa776d5e92d77b10dfca6666f83f542ab2 |
N/A |
N/A |
With tests and documentation |
e05f16967735b1a7f184406269e1b7959949b17d^..e8908dfa54422bed618ed6dc3fb9a8a77d516245 |
21b9b1ec550b71216592b317f64a11453b2ef66b^..b3ae691c3c58668244bd7c6f31de82a71359fbf0 |
897ec8da009c88f5dcf10c947b03f085cc199210^..89620b3cd4649dc3af967af8cf901dcaa1986ec0 |
N/A |
N/A |