Timing side-channel in RSA PKCS#1 v1.5 decryption (CVE-2026-50587)

Title

Timing side-channel in RSA PKCS#1 v1.5 decryption

CVE

CVE-2026-50587

Date

7th of July, 2026

Affects

All versions of Mbed TLS from 2.17.0 to 3.6.6; all versions of Mbed TLS from 4.0.0 to 4.1.0; all versions of TF-PSA-Crypto up to 1.1.0

Not affected

Mbed TLS 3.6.7 and later 3.6.x versions; Mbed TLS 4.1.1 and later 4.1.x versions; Mbed TLS 4.2.0 and later 4.x versions; TF-PSA-Crypto 1.1.1 and later 1.1.x versions; TF-PSA-Crypto 1.2.0 and later 1.x versions

Impact

Plaintext recovery via decryption side channel

Severity

MEDIUM

Credits

zhengg

Vulnerability

The function psa_asymmetric_decrypt() used with PSA_ALG_RSA_PKCS1V15_CRYPT has a timing side channel in its error handling that allows an attacker to distinguish between success, invalid padding, and valid padding that produces a plaintext larger than the provided buffer.

Additionally, in Mbed TLS 3.6 with MBEDTLS_USE_PSA_CRYPTO enabled, mbedtls_pk_decrypt() has a similar side channel when used with RSA PKCS#1 v1.5. (TF-PSA-Crypto retains some mbedtls_pk_xxx() APIs, but not mbedtls_pk_decrypt().)

Impact

An attacker who can submit crafted RSA PKCS#1 v1.5 ciphertexts for repeated decryption and distinguish the resulting timing or execution-path differences can gradually recover plaintexts by exploiting the side channel as a Bleichenbacher oracle.

Depending on protocol usage, this may allow recovery of transported secrets (e.g. the pre-master secret in TLS 1.2 pure-RSA key exchange) and compromise of confidentiality.

Affected versions

All versions of TF-PSA-Crypto up to 1.1.0 are affected.

All versions of Mbed TLS from 2.17.0 to 3.6.6 are affected. All versions of Mbed TLS from 4.0.0 to 4.1.0 are affected.

Work-around

There is no practical work-around for psa_asymmetric_decrypt().

In Mbed TLS 3.6, mbedtls_pk_decrypt() is not affected if MBEDTLS_USE_PSA_CRYPTO is disabled, which it is in the default configuration. (The low-level APIs from rsa.h in Mbed TLS 3.6 are not affected, because the side channel is in error translation and propagation.)

Resolution

Affected users should upgrade to TF-PSA-Crypto 1.1.1 or a later 1.1.x version, or to TF-PSA-Crypto 1.2.0 or a later 1.x version.

Affected users should upgrade to Mbed TLS 3.6.7 or a later 3.6.x version, or to Mbed TLS 4.1.1 or a later 4.1.x version, or to Mbed TLS 4.2.0 or a later 4.x version.

Warning

Even after this side channel in the library is fixed, RSA PKCS#1 v1.5 decryption remains a dangerous operation, and applications using it need to take at least the following precautions, where observable behavior may include error codes, alerts, connection behavior, logs visible to an attacker, later protocol messages, or timing.

  1. Do not allow an attacker to distinguish, through observable behavior, between successful decryption, invalid padding, and valid padding with a buffer too small for the resulting plaintext.

  2. If the protocol expects a fixed-length secret, treat invalid padding or unexpected-length plaintexts as a fresh random secret of the expected length, without letting observable behavior reveal whether you’re using the plaintext or the random bytes.

  3. Do not let any observable behavior reveal information about individual bytes of the decrypted plaintext, such as whether a byte equals an expected value.

  4. Do not let any observable behavior reveal the length of the resulting plaintext.

RSA PKCS#1 v1.5 decryption is widely considered dangerous, and whenever possible should be avoided in favour of better alternatives, such as OAEP.

Fix commits

We recommend that users upgrade to a release including the fix. However, if you are maintaining a branch with backported bug fixes, here are the most relevant commits. Please note that these commits may not apply cleanly to older versions of the library, and may not provide a complete fix even if they do apply. The TF-PSA-Crypto and Mbed TLS development team does not provide support outside of maintained branches.

Branch

Mbed TLS 3.6.x

TF-PSA-Crypto 1.1.x

TF-PSA-Crypto 1.x (x>1)

Mbed TLS 4.1.x

Mbed TLS 4.x (x>1)

Basic fix

4c70413087eb..682d8f3e894e + 8f4a4eac9878 + fe47e9ed89f5 + c76cfd536e488b1397d5077e667e84339e471fa1

ab2b4230d01b..d9e5bd9ada7babe2c46cc10067aff05ffb2cc466

b31204d470c9..cc6ade732a46fb9a268c6e51e807ee3ba48fd452

n/a (submodule)

n/a (submodule)

With tests and documentation

4c70413087eb..591982e0477b6a70dba525b72073054cfdd5996b

ab2b4230d01b..7ecf00d6c444ebe79db1e55870b97c30526c03c0

b31204d470c9..f625206b88bbcba76551a007bc38e3ff8858c686

n/a (submodule)

n/a (submodule)