A random generator fault can compromise TLS data integrity (CVE-TODO)

Title

A random generator fault can compromise TLS data integrity

CVE

CVE-TODO

Date

7th of July, 2026

Affects

All versions of Mbed TLS from 3.2.0 to 3.6.6; Mbed TLS 4.0.0; Mbed TLS 4.1.0

Not affected

Mbed TLS 3.6.7 and later 3.6.x versions; Mbed TLS 4.1.1 and later 4.1.x version; Mbed TLS 4.2.0 and later 4.x versions

Impact

TLS 1.3 application data integrity

Severity

LOW

Credits

Mohammad Seet (mhdsait101)

Vulnerability

A logic error in ssl_tls13_prepare_new_session_ticket() causes it to return 1 rather than a negative error code if psa_generate_random() fails. On some platforms, an attacker with physical or local access may glitch the entropy source, which can cause psa_generate_random() to fail, depending on the random generator configuration.

The TLS library internally treats any nonzero value as an error, so for the most part, the impact is limited to returning the wrong error code for this error condition. However, applications may call mbedtls_ssl_read() or mbedtls_ssl_write() before the handshake is complete, in which case the functions will try to complete the handshake (and return MBEDTLS_ERR_SSL_WANT_READ or MBEDTLS_ERR_SSL_WANT_WRITE). If ssl_tls13_prepare_new_session_ticket() returns 1 due to the random generator failure, mbedtls_ssl_read() or mbedtls_ssl_write() returns 1, letting the application believe that one byte of application data has been read or written. With mbedtls_ssl_read(), the byte value that has seemingly been read is the previous content of the output buffer.

Impact

Consider an application running a TLS server, that receives a TLS 1.3 connection. Suppose that an attacker can cause the platform’s entropy source to fail.

If the application calls mbedtls_ssl_read() before the TLS handshake is over, the attacker can inject extra data before the actual data from the client. The attacker can control how many bytes are injected, but not the value of these bytes.

If the application calls mbedtls_ssl_write() before the TLS handshake is over, the attacker can cause some initial bytes not to be sent from the server.

Affected versions

All versions of Mbed TLS 3.x from 3.2.0 to 3.6.6 are affected. Mbed TLS 4.0.0 and 4.1.0 are affected.

Work-around

Applications are only affected if they call mbedtls_ssl_read() or mbedtls_ssl_write() before the initial TLS handshake is over.

The bug only affects TLS 1.3 servers. TLS 1.2 connections are not affected, and in particular renegotiation handshakes are not affected.

Applications are only affected if they issue TLS 1.3 session tickets. They only do so when MBEDTLS_SSL_SESSION_TICKETS is enabled (it is enabled by default) and the application has configured a ticket callback with mbedtls_ssl_conf_session_tickets_cb(). Furthermore tickets are not issued if the application has disabled them by calling mbedtls_ssl_conf_new_session_tickets() with a count of 0.

Applications are only affected if the random generator is configured to fail if the entropy source fails, which is the case by default, but can be avoided by setting the reseed interval to INT_MAX.

Resolution

Affected users should upgrade to Mbed TLS 3.6.7, Mbed TLS 4.1.1 or Mbed TLS 4.2.0 depending on which branch they are tracking.

Fix commits

We recommend that users upgrade to a release including the fix. However, if you are maintaining a branch with backported bug fixes, here are the most relevant commits. Please note that these commits may not apply cleanly to older versions of the library, and may not provide a complete fix even if they do apply. The Mbed TLS development team does not provide support outside of maintained branches.

Branch

Mbed TLS 3.6.x

Mbed TLS 4.1.x

Mbed TLS 4.x (x>1)

Basic fix

a5699bdb914ac6f65c867cf842911cdaa9d5618e

465d6e9669a24ff7fe1a018fafe0e9f44aa4a48b

465d6e9669a24ff7fe1a018fafe0e9f44aa4a48b

With tests and documentation

77b1a22bc31d0017b07425bba61e5a4ecb82b9c5..8b7af9d421c62497f3a4e4a8be476b7fe8323c3f

0fe989b6b514192783c469039edd325fd0989806..b05434c1b1df14cb3b2ce52dd1200c3ba9f9b198

0fe989b6b514192783c469039edd325fd0989806..b05434c1b1df14cb3b2ce52dd1200c3ba9f9b198