Timing side-channel in RSA PKCS#1 v1.5 decryption (CVE-2026-50587)
Title |
Timing side-channel in RSA PKCS#1 v1.5 decryption |
|---|---|
CVE |
CVE-2026-50587 |
Date |
7th of July, 2026 |
Affects |
All versions of Mbed TLS from 2.17.0 to 3.6.6; all versions of Mbed TLS from 4.0.0 to 4.1.0; all versions of TF-PSA-Crypto up to 1.1.0 |
Not affected |
Mbed TLS 3.6.7 and later 3.6.x versions; Mbed TLS 4.1.1 and later 4.1.x versions; Mbed TLS 4.2.0 and later 4.x versions; TF-PSA-Crypto 1.1.1 and later 1.1.x versions; TF-PSA-Crypto 1.2.0 and later 1.x versions |
Impact |
Plaintext recovery via decryption side channel |
Severity |
MEDIUM |
Credits |
zhengg |
Vulnerability
The function psa_asymmetric_decrypt() used with PSA_ALG_RSA_PKCS1V15_CRYPT
has a timing side channel in its error handling that allows an attacker to
distinguish between success, invalid padding, and valid padding that produces
a plaintext larger than the provided buffer.
Additionally, in Mbed TLS 3.6 with MBEDTLS_USE_PSA_CRYPTO enabled,
mbedtls_pk_decrypt() has a similar side channel when used with RSA PKCS#1
v1.5. (TF-PSA-Crypto retains some mbedtls_pk_xxx() APIs, but not
mbedtls_pk_decrypt().)
Impact
An attacker who can submit crafted RSA PKCS#1 v1.5 ciphertexts for repeated decryption and distinguish the resulting timing or execution-path differences can gradually recover plaintexts by exploiting the side channel as a Bleichenbacher oracle.
Depending on protocol usage, this may allow recovery of transported secrets (e.g. the pre-master secret in TLS 1.2 pure-RSA key exchange) and compromise of confidentiality.
Affected versions
All versions of TF-PSA-Crypto up to 1.1.0 are affected.
All versions of Mbed TLS from 2.17.0 to 3.6.6 are affected. All versions of Mbed TLS from 4.0.0 to 4.1.0 are affected.
Work-around
There is no practical work-around for psa_asymmetric_decrypt().
In Mbed TLS 3.6, mbedtls_pk_decrypt() is not affected if
MBEDTLS_USE_PSA_CRYPTO is disabled, which it is in the default configuration.
(The low-level APIs from rsa.h in Mbed TLS 3.6 are not affected, because the
side channel is in error translation and propagation.)
Resolution
Affected users should upgrade to TF-PSA-Crypto 1.1.1 or a later 1.1.x version, or to TF-PSA-Crypto 1.2.0 or a later 1.x version.
Affected users should upgrade to Mbed TLS 3.6.7 or a later 3.6.x version, or to Mbed TLS 4.1.1 or a later 4.1.x version, or to Mbed TLS 4.2.0 or a later 4.x version.
Warning
Even after this side channel in the library is fixed, RSA PKCS#1 v1.5 decryption remains a dangerous operation, and applications using it need to take at least the following precautions, where observable behavior may include error codes, alerts, connection behavior, logs visible to an attacker, later protocol messages, or timing.
Do not allow an attacker to distinguish, through observable behavior, between successful decryption, invalid padding, and valid padding with a buffer too small for the resulting plaintext.
If the protocol expects a fixed-length secret, treat invalid padding or unexpected-length plaintexts as a fresh random secret of the expected length, without letting observable behavior reveal whether you’re using the plaintext or the random bytes.
Do not let any observable behavior reveal information about individual bytes of the decrypted plaintext, such as whether a byte equals an expected value.
Do not let any observable behavior reveal the length of the resulting plaintext.
RSA PKCS#1 v1.5 decryption is widely considered dangerous, and whenever possible should be avoided in favour of better alternatives, such as OAEP.
Fix commits
We recommend that users upgrade to a release including the fix. However, if you are maintaining a branch with backported bug fixes, here are the most relevant commits. Please note that these commits may not apply cleanly to older versions of the library, and may not provide a complete fix even if they do apply. The TF-PSA-Crypto and Mbed TLS development team does not provide support outside of maintained branches.
Branch |
Mbed TLS 3.6.x |
TF-PSA-Crypto 1.1.x |
TF-PSA-Crypto 1.x (x>1) |
Mbed TLS 4.1.x |
Mbed TLS 4.x (x>1) |
|---|---|---|---|---|---|
Basic fix |
4c70413087eb..682d8f3e894e + 8f4a4eac9878 + fe47e9ed89f5 + c76cfd536e488b1397d5077e667e84339e471fa1 |
ab2b4230d01b..d9e5bd9ada7babe2c46cc10067aff05ffb2cc466 |
b31204d470c9..cc6ade732a46fb9a268c6e51e807ee3ba48fd452 |
n/a (submodule) |
n/a (submodule) |
With tests and documentation |
4c70413087eb..591982e0477b6a70dba525b72073054cfdd5996b |
ab2b4230d01b..7ecf00d6c444ebe79db1e55870b97c30526c03c0 |
b31204d470c9..f625206b88bbcba76551a007bc38e3ff8858c686 |
n/a (submodule) |
n/a (submodule) |