Incomplete context reset in mbedtls_ssl_session_reset() (CVE-2026-50585)

Title

Incomplete context reset in mbedtls_ssl_session_reset()

CVE

CVE-2026-50585

Date

7th of July, 2026

Affects

  • badmac_seen: Mbed TLS releases up to 3.6.2, Mbed TLS 4.0.0 and 4.1.0.
  • dtls_srtp_info: Mbed TLS from 2.25.0 up to 3.6.6, Mbed TLS 4.0.0 and 4.1.0

Not affected

  • badmac_seen: Mbed TLS 3.6.3 and later 3.6.x releases, Mbed TLS 4.1.1 and later 4.1.x releases, Mbed TLS 4.2.0 and later 4.2.x releases.
  • dtls_srtp_info: Mbed TLS 3.6.7 and later 3.6.x releases, Mbed TLS 4.1.1 and later 4.1.x releases, Mbed TLS 4.2.0 and later 4.x releases

Impact

Applications reusing an SSL context may experience premature DTLS connection failure or incorrect DTLS-SRTP parameter inheritance

Severity

MEDIUM

Credits

jjfz123 / https://github.com/jjfz123 / https://www.linkedin.com/in/jjfdzcastro1/

Vulnerability

mbedtls_ssl_session_reset() is intended to reset an mbedtls_ssl_context for reuse across multiple connections. However, two fields of mbedtls_ssl_context were not zeroed by this function:

  • badmac_seen: a DTLS-specific counter tracking the number of records received with a failing MAC. If badmac_limit is configured via mbedtls_ssl_conf_bad_mac_limit(), the counter from the previous connection carries over to the next one.

  • dtls_srtp_info: holds the SRTP protection profile and MKI value negotiated during a DTLS-SRTP handshake. The structure is not cleared on session reset, so once the server received the SRTP extension it will always send it to the following sessions. It will share also srtp_mki from the last SRTP session.

An application is vulnerable if it calls mbedtls_ssl_session_reset() to reuse an mbedtls_ssl_context for a subsequent connection.

Impact

badmac_seen DoS: once a server has reached badmac_limit, it will no longer tolerate any bad MAC even in new connections.

dtls_srtp_info DoS: once a client has used SRTP, the server will indeed always send the SRTP extension.

dtls_srtp_info information leak: the server sends the srtp_mki value from the previous client that sent it. This value is a key identifier. This is a minor loss of privacy, not leakage of confidential material.

Affected versions

badmac_seen: Mbed TLS releases up to 3.6.2, Mbed TLS 4.0.0 and 4.1.0.

dtls_srtp_info: Mbed TLS from 2.25.0 up to 3.6.6, Mbed TLS 4.0.0 and 4.1.0

Work-around

Applications can avoid this vulnerability by not reusing SSL contexts across connections. Instead of calling mbedtls_ssl_session_reset(), call mbedtls_ssl_free() followed by mbedtls_ssl_init(), mbedtls_ssl_setup() and all the optional configuration functions (ex: mbedtls_ssl_set_bio()) to obtain a fresh context for each connection.

Applications that do not call mbedtls_ssl_conf_bad_mac_limit() with a non-zero value are not affected by the badmac_seen issue.

Applications that have MBEDTLS_SSL_DTLS_SRTP disabled (which it is by default) or that do not call mbedtls_ssl_conf_dtls_srtp_protection_profiles() are not affected by the dtls_srtp_info issue.

Resolution

Affected users should upgrade to Mbed TLS 3.6.7 or later Mbed TLS 3.6.x versions, Mbed TLS 4.1.1 and later Mbed TLS 4.1.x versions, Mbed TLS 4.2.0 or later Mbed TLS 4.x versions.

Fix commits

We recommend that users upgrade to a release including the fix. However, if you are maintaining a branch with backported bug fixes, here are the most relevant commits. Please note that these commits may not apply cleanly to older versions of the library, and may not provide a complete fix even if they do apply. The Mbed TLS development team does not provide support outside of maintained branches.

Branch

Mbed TLS 3.6.x

Mbed TLS 4.1.x

Mbed TLS 4.x (x>1)

Basic fix

2c33afacd5f65a609534839bdeb6c11f5204328b

4b086ed04e12a0d621cee6dfbc30ee6f2e74d0bf

a2338a21fa8c6c1c80284f80c032208168cdb183

With tests and documentation

2c33afacd5f65a609534839bdeb6c11f5204328b^..e093798e77337929d81c7e37712bf00b7fc59daf

be883e19f50d9cb66d881598bb02102eabf3a957^..3b84f44c7fb2e987ad3a878e5d8abfaf549408be

3e191be15a7b5a51b1a9d76b48dc88f77929851c^..4f92a63e4a2e07a62ae0da604d0269e25450345f