Remote buffer overflow in TLS 1.2 ECDHE-PSK client handshake (CVE-2026-50580)
Title |
Remote buffer overflow in TLS 1.2 ECDHE-PSK client handshake |
|---|---|
CVE |
CVE-2026-50580 |
Date |
7th of July, 2026 |
Affects |
Mbed TLS 1.3.10 through 3.6.6; Mbed TLS 4.0.0 through 4.1.0 |
Not affected |
Mbed TLS 1.3.9 and earlier; Mbed TLS 3.6.7 and later 3.6.x versions; Mbed TLS 4.1.1 and later 4.1.x versions; Mbed TLS 4.2.0 and later versions; TF-PSA-Crypto |
Impact |
A malicious TLS 1.2 server can cause a client configured with an oversized PSK identity to write past the end of the TLS output buffer when an ECDHE-PSK ciphersuite is negotiated. |
Severity |
HIGH |
Credits |
Karnakar Reddy (@karnakarreddi) |
Vulnerability
In TLS 1.2 clients, ssl_write_client_key_exchange() constructs the
ClientKeyExchange message for ECDHE-PSK ciphersuites by writing the PSK
identity followed by the client’s ephemeral EC public key. Before the fix, the
ECDHE-PSK path checked that the output message buffer had enough room for the
handshake header, the two-byte PSK identity length, and the PSK identity, but
did not reserve room for the following one-byte EC point length field and the
EC public key.
If the client was configured with a sufficiently long PSK identity, this check could pass while leaving too little room for the EC public key. The subsequent public key export then computed the remaining output space from a pointer that could already be beyond the intended TLS output-content boundary. This could underflow the available-length calculation and let the public key export write past the end of the TLS output buffer in affected configurations.
Applications are vulnerable when they use a TLS 1.2 client configured with an
oversized static PSK identity, allow negotiation of ECDHE-PSK ciphersuites, and
run with an output-buffer layout that does not leave enough spare space after
MBEDTLS_SSL_OUT_CONTENT_LEN to absorb the overflow. The issue is exposed in
particular when CBC ciphersuites are disabled, reducing the extra output-buffer
padding that otherwise masks the overwrite in common configurations.
Impact
A malicious TLS 1.2 server or a TCP man-in-the-middle that negotiates an ECDHE-PSK ciphersuite with an affected client can trigger memory corruption while the client constructs its ClientKeyExchange message. Confirmed outcomes include a client-side process crash and denial of service. Depending on allocator behavior, build configuration, and application memory layout, code execution and heap corruption may be possible.
For the attack to be possible, the client application must be configured with a very long PSK identity and must offer ECDHE-PSK ciphersuites. Applications that use short PSK identities are not vulnerable to this issue: the PSK identity must be long enough that the ECDHE-PSK ClientKeyExchange message can fit the handshake header and PSK identity, but not the following EC public key.
Affected versions
Mbed TLS versions 1.3.10 through 3.6.6 and 4.0.0 through 4.1.0 are affected
when MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED is enabled and the application can
use an oversized PSK identity.
Mbed TLS 1.3.9 and earlier are not affected because they do not have ECDHE-PSK support. Mbed TLS 3.6.7 and later 3.6.x versions, Mbed TLS 4.1.1 and later 4.1.x versions, and Mbed TLS 4.2.0 and later versions include the fix.
TF-PSA-Crypto is not affected.
Work-around
Applications can avoid the issue by using short PSK identities. For
ECDHE-PSK, the ClientKeyExchange message needs 7 bytes of header and length
fields, the PSK identity, and the encoded client EC public key. The encoded
public key size depends on the negotiated curve; for the largest currently
supported built-in curves, reserving 133 bytes for it is sufficient. Therefore,
applications using those curves are not affected if the PSK identity length is
at most MBEDTLS_SSL_OUT_CONTENT_LEN - 140 bytes. For example, this allows PSK
identities up to 116 bytes with MBEDTLS_SSL_OUT_CONTENT_LEN set to 256, or up
to 884 bytes with MBEDTLS_SSL_OUT_CONTENT_LEN set to 1024. A 64-byte PSK
identity has enough room even with a 256-byte output content buffer.
Applications are also not vulnerable if they do not use TLS clients, do not
enable TLS 1.2, or do not enable ECDHE-PSK ciphersuites. If applications cannot
rely on PSK identity lengths being short enough or disable TLS 1.2 ECDHE-PSK
support by disabling MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED.
Resolution
Affected users should upgrade to Mbed TLS 3.6.7 or a later 3.6.x version, Mbed TLS 4.1.1 or a later 4.1.x version, or Mbed TLS 4.2.0 or a later version.
Fix commits
We recommend that users upgrade to a release including the fix. However, if you are maintaining a branch with backported bug fixes, here are the most relevant commits. Please note that these commits may not apply cleanly to older versions of the library, and may not provide a complete fix even if they do apply. The Mbed TLS development team does not provide support outside of maintained branches.
Branch |
Mbed TLS 3.6.x |
TF-PSA-Crypto 1.1.x |
TF-PSA-Crypto 1.x (x>1) |
Mbed TLS 4.1.x |
Mbed TLS 4.x (x>1) |
|---|---|---|---|---|---|
Basic fix |
f9835c081f1ebed8c2ea3b23574da71c1bb66e44 |
N/A |
N/A |
f63ca6e0af1d37ae048e00e692f21d302d0acd25 |
baf449db7e31f031ed5def0fecf417122f72d3ee |
With tests and documentation |
f9835c081f1ebed8c2ea3b23574da71c1bb66e44^..b961ac2cf2472829066a97f10af544af267cfca2 |
N/A |
N/A |
f63ca6e0af1d37ae048e00e692f21d302d0acd25^..a98b95074ad1d2a73e91278a380a424f3f4df4c6 |
baf449db7e31f031ed5def0fecf417122f72d3ee^..911b9b67dbf335f79253c2b66acc9767e34b3105 |