Signature algorithm restrictions not enforced on certificate chain (CVE-2026-54441)
Title |
Signature algorithm restrictions not enforced on certificate chain |
|---|---|
CVE |
CVE-2026-54441 |
Date |
7th of July, 2026 |
Affects |
Mbed TLS up to 3.6.6 and earlier; Mbed TLS 4.0.0 and 4.1.0 |
Not affected |
Mbed TLS 3.6.7 and later, Mbed TLS 4.1.1 and later, Mbed TLS 4.2.0 and later |
Impact |
An application may accept certificate chains signed with algorithms that were not intended to be allowed |
Severity |
LOW |
Credits |
Xiangdong Li, Beijing University of Posts and Telecommunications (BUPT) |
Vulnerability
Mbed TLS provides two separate API functions that affect which signature algorithms are accepted during a TLS handshake:
mbedtls_ssl_conf_sig_algs(): configures the list of signature algorithms advertised in the TLSsignature_algorithmsextension, which is enforced for handshake signatures.mbedtls_ssl_conf_cert_profile(): controls which signature algorithms are accepted when verifying the certificate chain.
In the TLS 1.3 protocol, the signature_algorithms extension covers both handshake signatures and certificate chain signatures unless a separate signature_algorithms_cert extension is also sent. Mbed TLS does not send signature_algorithms_cert, so the same list is advertised for both purposes. This makes it reasonable to expect that mbedtls_ssl_conf_sig_algs() would also restrict which signature algorithms are accepted in the certificate chain.
However, Mbed TLS enforces these two settings independently: mbedtls_ssl_conf_sig_algs() only affects handshake signatures, while certificate chain verification is governed solely by mbedtls_ssl_conf_cert_profile(). The documentation for mbedtls_ssl_conf_sig_algs() did not make this separation explicit, which could lead developers to believe that configuring sig_algs alone is sufficient to enforce signature algorithm restrictions across the entire handshake, including certificate verification.
An application is vulnerable if it calls mbedtls_ssl_conf_sig_algs() to configure a restricted set of algorithms and assumes that the certificate chain will also be verified against that restriction, without also calling mbedtls_ssl_conf_cert_profile() with a suitably restrictive profile.
Impact
A peer may present a certificate chain signed with a signature algorithm that the application intended to reject. If the application relies solely on mbedtls_ssl_conf_sig_algs() and does not configure a certificate profile via mbedtls_ssl_conf_cert_profile(), the certificate chain signature will be accepted regardless of the configured sig_algs. This may allow a peer to use certificates with signature algorithms the developer intended to forbid, potentially weakening the security posture of the application.
Affected versions
Mbed TLS 3.6.6 and earlier; Mbed TLS 4.0.0 and 4.1.0.
Resolution
Applications can protect themselves by explicitly calling mbedtls_ssl_conf_cert_profile() with an X.509 certificate profile that restricts the accepted signature algorithms to match the intended policy. For example, use one of the built-in profiles such as mbedtls_x509_crt_profile_suiteb or define a custom mbedtls_x509_crt_profile structure.
Fix commits
Updated documentation can be found at following commits:
Branch |
Mbed TLS 3.6.x |
Mbed TLS 4.1.x |
Mbed TLS 4.x (x>1) |
|---|---|---|---|
Updated documentation |
aecc26ac7c523e741dd62d94890278326fe7c230..b9c8c9c4275bf8e5e88aa9e1e8f6d518fa78367b |
b2e36d7d7aa9968087eac0a40457783c61c90720..bd57fb5e8afe003ed24a2ae9e8ca487ecdc4c3f4 |
4a1d150cdf441d0b1d984ea825a21d5770a9f94a..147ad72669797947bef12a0bdbe5dec0ed805c58 |