Side channel leak in ECC optimized modp (CVE-2026-54435)

Title

Side channel leak in ECC optimized modp

CVE

CVE-2026-54435

Date

7th of July, 2026

Affects

All versions of Mbed TLS up to 3.6.6; all versions of Mbed TLS from 4.0.0 to 4.1.0; all versions of TF-PSA-Crypto up to 1.1.0

Not affected

Mbed TLS 3.6.7 and later 3.6.x versions; Mbed TLS 4.1.1 and later 4.1.x versions; Mbed TLS 4.2.0 and later 4.x versions; TF-PSA-Crypto 1.1.1 and later 1.1.x versions; TF-PSA-Crypto 1.2.0 and later 1.x versions

Impact

A privileged local adversary can recover long-term ECC keys

Severity

MEDIUM

Credits

Alejandro Cabrera Aldaya from Tampere University

Vulnerability

The TF-PSA-Crypto / Mbed TLS implementation of elliptic curves uses specialised routines for fast reduction modulo the curve’s prime. These routines were not constant-time. An attacker able to obtain precise enough execution traces can recover the secret key used in some operations. Affected operations include deterministic ECDSA signature generation, derivation of the public key when loading a private key, and deterministic key generation (key derivation). These operations perform scalar multiplication with the same secret scalar on repeated invocations.

In order to get precise enough traces, the adversary needs to be local and privileged: typically an untrusted OS attacking a secure enclave. (Physical side channels could also be used, but TF-PSA-Crypto does not aim to protect against such attacks.)

Impact

The adversary can fully recover long-term ECC keys.

Affected versions

All versions of TF-PSA-Crypto up to 1.1.0 are affected.

All versions of Mbed TLS up to 3.6.6 are affected. All versions of Mbed TLS from 4.0.0 to 4.1.0 are affected.

Work-around

There is no practical work-around that applies to all affected curves.

For NIST curves (secpXXXXr1), disabling MBEDTLS_ECP_NIST_OPTIM avoids the affected optimized modular reduction routines. However, this option is enabled in the default configuration, and disabling it incurs a significant performance degradation that may not be acceptable.

Brainpool curves are not affected because they do not use fast modular reduction routines.

Koblitz curves (secpXXXk1) and Montgomery curves (Curve25519 and Curve448) are affected in all configurations.

Resolution

Affected users should upgrade to TF-PSA-Crypto 1.1.1 or a later 1.1.x version, or to TF-PSA-Crypto 1.2.0 or a later 1.x version.

Affected users should upgrade to Mbed TLS 3.6.7 or a later 3.6.x version, or to Mbed TLS 4.1.1 or a later 4.1.x version, or to Mbed TLS 4.2.0 or a later 4.x version.

Fix commits

We recommend that users upgrade to a release including the fix. However, if you are maintaining a branch with backported bug fixes, here are the most relevant commits. Please note that these commits may not apply cleanly to older versions of the library, and may not provide a complete fix even if they do apply. The TF-PSA-Crypto and Mbed TLS development team does not provide support outside of maintained branches.

Branch

Mbed TLS 3.6.x

TF-PSA-Crypto 1.1.x

TF-PSA-Crypto 1.x (x>1)

Mbed TLS 4.1.x

Mbed TLS 4.x (x>1)

Basic fix

aecc26ac7c52..6b4b14ae719c4f46ea70600d63b0d50dc727ff3a

9c0f0cf88a19..072d46a1660b2d21cb8eb17d437efdb6bbfa48bd

feb70754b0a8..0db467d4b32e1cfc94558b96cc5cc92b3ec09598

n/a (submodule)

n/a (submodule)

With tests and documentation

aecc26ac7c52..10f9bd4adda74d71827fd78006136f956d08d554

9c0f0cf88a19..23333b8bdd09cd87826fae76972da70f27125aeb

feb70754b0a8..c440358725cb3e70b30cbd984ce7a8c7075c7e2f

n/a (submodule)

n/a (submodule)

Additional improvements in the new functions

5f62b3fa5607..05ce3e90eb863b751c4464633a94239fd1938608

592e8d0e0a85..6bf103767c578c39098a3bc76133224fb0d015af

e70cfdcc6be7..af3fe396866dc7cc1f4505191eadc7cbad36d3a4

n/a (submodule)

n/a (submodule)