Heap corruption with early renegotiation after corrupted record in DTLS (CVE-2026-50713)

Title

Heap corruption with early renegotiation after corrupted record in DTLS

CVE

CVE-2026-50713

Date

7th of July, 2026

Affects

Mbed TLS 3.6.3 to 3.6.6

Not affected

Mbed TLS 3.6.2 and earlier; Mbed TLS 4.0.0 and later

Impact

Remote code execution through heap corruption

Severity

HIGH

Credits

Haruki Oyama

Vulnerability

Mbed TLS 3.6.3 added support for receiving fragmented handshake messages in TLS 1.2 and 1.3, for interoperability. This new feature required an extra field in the TLS context (mbedtls_ssl_context), called in_hsfraglen in Mbed TLS 4.0.0, containing the amount of data that is already received in an incomplete handshake message. In the 3.6 long-term support (LTS) branch, in order to preserve ABI compatibility, the existing field badmac_seen was renamed to badmac_seen_or_in_hsfraglen. In DTLS, this field tracks the number of records received with a bad MAC (or authentication tag, in AEAD cipher suites). In TLS, this field was previously unused, and is now used for handshake message parsing.

Due to an implementation mistake, the code sometimes reads the dual-purpose field without checking the active protocol. Specifically, at the beginning of mbedtls_ssl_prepare_handshake_record(), the field ssl->in_hslen is not updated when ssl->badmac_seen_or_in_hsfraglen != 0. Thus, after receiving a message with a bad MAC, the handshake message length is not updated, which causes problems in subsequent processing.

During the initial DTLS handshake, only the last message (Finished) is authenticated with a MAC or tag, and if the MAC is invalid, the handshake is rejected immediately. (Note that only DTLS 1.2 is supported, not DTLS 1.3.) Therefore ssl->badmac_seen_or_in_hsfraglen remains 0.

After exchanging application data, ssl->badmac_seen_or_in_hsfraglen may be nonzero if a bad-MAC limit has been set with mbedtls_ssl_conf_dtls_badmac_limit(). If the library sees a handshake message, it can only legitimately be a renegotiation attempt. If renegotiation is disabled (at compile time or run time), the attempt is correctly rejected.

However, if renegotiation is enabled, the library decrypts and parses the handshake message. Due to the incorrect value of ssl->in_hslen, the normal message processing fails.

Furthermore, if the handshake message’s sequence number indicates a prior missing record, then this message needs to be queued. This happens in the function ssl_buffer_message(), which allocates a heap buffer to store the message. The buffer size is ssl->in_hslen, which is still 0. On most platforms, malloc(0) reserves a unique heap location whose size is only a few bytes. The library then writes at least a reconstructed 12-byte header, followed by the message content, whose length is determined from the message content. This overflows a heap buffer, thus corrupts the heap.

Impact

A man-in-the-middle in a DTLS connection where one endpoint has enabled renegotiation and has set a limit to the number of corrupted records can cause heap corruption by rearranging traffic or injecting specially crafted packets. Depending on the application and on the memory layout, this may allow remote code execution.

Affected versions

Only versions of Mbed TLS from 3.6.3 to 3.6.6 are affected.

Work-around

Applications are affected only if they declare a limit to the number of records with a bad MAC/tag with mbedtls_ssl_conf_dtls_badmac_limit(). By default, the bad MAC count is unlimited, which avoids the bug.

Applications are affected only if renegotiation is enabled. It is disabled by default.

Resolution

Affected users should upgrade to Mbed TLS 3.6.7 or a later 3.6.x version, or to Mbed TLS 4.x (which has incompatible changes).

Fix commits

We recommend that users upgrade to a release including the fix. However, if you are maintaining a branch with backported bug fixes, here are the most relevant commits. Please note that these commits may not apply cleanly to older versions of the library, and may not provide a complete fix even if they do apply. The TF-PSA-Crypto and Mbed TLS development team does not provide support outside of maintained branches.

Branch

Mbed TLS 3.6.x

Mbed TLS 4.1.x

Mbed TLS 4.x (x>1)

Basic fix

24c2875cb0eb655fffe7b6a7a956f34bacb7b0a4

N/A

N/A

With tests and documentation

915442dbedffa7c856b92a021e9ac40176514f20..794e1a89db1fdf101ce39134647d08b0bd936e3f

N/A

N/A