Out-of-bounds read in TLS 1.2 EC J-PAKE ServerKeyExchange parsing (CVE-2026-50588)
Title |
Out-of-bounds read in TLS 1.2 EC J-PAKE ServerKeyExchange parsing |
|---|---|
CVE |
CVE-2026-50588 |
Date |
7th of July, 2026 |
Affects |
Mbed TLS 3.3.0 through 3.6.6; Mbed TLS 4.0.0 through 4.1.0 |
Not affected |
Mbed TLS before 3.3.0; Mbed TLS 3.6.7 and later 3.6.x versions; Mbed TLS 4.1.1 and later 4.1.x versions; Mbed TLS 4.2.0 and later 4.x versions |
Impact |
A malicious TLS 1.2 server can cause a client to read outside the validated ServerKeyExchange message while parsing an EC J-PAKE key exchange |
Severity |
LOW |
Credits |
Biniam Demissie |
Vulnerability
In TLS 1.2 clients, when parsing a ServerKeyExchange message for the EC J-PAKE ciphersuite, Mbed TLS read the first three bytes of the EC J-PAKE key exchange parameters before checking that three bytes were present in the message body. These bytes encode the curve type and the TLS named curve identifier.
If a malicious TLS 1.2 server selected the
MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8 ciphersuite and sent a truncated
ServerKeyExchange message, the client could read beyond the validated end of
the current handshake message. If the bytes read beyond the message happened to
match the expected curve encoding, subsequent EC J-PAKE parsing could consume a
larger amount of data outside the message boundary.
This vulnerability only affects builds with
MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED enabled. EC J-PAKE support is disabled
in the default Mbed TLS configuration.
Impact
A malicious TLS 1.2 server can trigger an out-of-bounds read in an affected client during the handshake. In most configurations, the read remains within the TLS input buffer and reads stale data from outside the current handshake message. In configurations where the TLS input buffer is too small for an EC J-PAKE handshake, the read can go past the end of the heap buffer.
The overread data is not copied back to the peer. The practical information leakage is limited to whether the overread data is accepted by later parsing, so the severity is LOW.
Affected versions
Mbed TLS versions 3.3.0 through 3.6.6 and 4.0.0 through 4.1.0 are affected when
MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED is enabled.
Mbed TLS versions before 3.3.0 do not have the affected EC J-PAKE ServerKeyExchange parsing code. Mbed TLS 3.6.7 and later 3.6.x versions, Mbed TLS 4.1.1 and later 4.1.x versions, and Mbed TLS 4.2.0 and later 4.x versions, are not affected.
Work-around
Disable TLS 1.2 EC J-PAKE support by disabling
MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED, or ensure that clients do not offer the
MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8 ciphersuite.
Applications that are built without MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED, do
not use TLS clients, only use TLS 1.3, or never allow negotiation of the
EC J-PAKE ciphersuite are not vulnerable.
Resolution
Affected users should upgrade to Mbed TLS 3.6.7 or a later 3.6.x version, Mbed TLS 4.1.1 or a later 4.1.x version, or Mbed TLS 4.2.0 or a later version.
Fix commits
We recommend that users upgrade to a release including the fix. However, if you are maintaining a branch with backported bug fixes, here are the most relevant commits. Please note that these commits may not apply cleanly to older versions of the library, and may not provide a complete fix even if they do apply. The Mbed TLS development team does not provide support outside of maintained branches.
Branch |
Mbed TLS 3.6.x |
TF-PSA-Crypto 1.1.x |
TF-PSA-Crypto 1.x (x>1) |
Mbed TLS 4.1.x |
Mbed TLS 4.x (x>1) |
|---|---|---|---|---|---|
Basic fix |
e3be807e5c5ce216b8b832b1e746e4ef5c0765bf |
N/A |
N/A |
1ac3989db6cd0416f562764e3bfacca62ce4875c |
08e3e3f81e6c5703c3afcbfcb47c600a2b10afcb |
With tests and documentation |
e3be807e5c5ce216b8b832b1e746e4ef5c0765bf^..e1351f7881991951049fdcca230edd85dcde6f90 |
N/A |
N/A |
1ac3989db6cd0416f562764e3bfacca62ce4875c^..1a5e328377af66a1795ebf9440e79592bffa2a71 |
08e3e3f81e6c5703c3afcbfcb47c600a2b10afcb^..1aa125454601ef3492c285d2122518ac3fa3b6c2 |