Information disclosure in TLS 1.2 NewSessionTicket (CVE-2026-50586)

Title

Information disclosure in TLS 1.2 NewSessionTicket

CVE

CVE-2026-50586

Date

7th of July, 2026

Affects

Mbed TLS 2.0.0 through 2.28.10; Mbed TLS 3.0.0 through 3.6.6; Mbed TLS 4.0.0 through 4.1.0

Not affected

Mbed TLS 1.3.22 and earlier; Mbed TLS 3.6.7 and later 3.6 versions; Mbed TLS 4.1.1 and later 4.1 versions; Mbed TLS 4.2.0 and later 4.x versions

Impact

A TLS 1.2 server can disclose 4 bytes of stack memory to a peer in a NewSessionTicket message when ticket generation fails.

Severity

LOW

Credits

James Love

Vulnerability

Mbed TLS TLS 1.2 servers can send a NewSessionTicket message after the server session-ticket write callback fails. In ssl_write_new_session_ticket() in library/ssl_tls12_server.c, the callback configured through mbedtls_ssl_conf_session_tickets_cb() is responsible for writing the session ticket and returning both the ticket length and the ticket lifetime hint.

Before the fix, the local lifetime variable was not initialized before calling the callback. If the callback returned an error without writing lifetime, the function still serialized lifetime into the ticket_lifetime_hint field of the NewSessionTicket handshake message. This caused 4 bytes of uninitialized server stack memory to be sent to the TLS 1.2 peer.

Applications are only affected when they run a TLS 1.2 server with session tickets enabled and the configured ticket-write callback can fail on a path that leaves the lifetime output parameter unset. The built-in behavior intentionally continues the handshake with an empty ticket when ticket generation fails, so the failure path must still produce a well-defined zero lifetime and zero-length ticket.

Impact

A remote peer that can trigger or observe a ticket-write failure can receive 4 bytes of stack memory from the server process in the ticket_lifetime_hint field. The practical impact is limited because exploiting this for sensitive data would require useful data to remain on the stack in the leaked location and require the attacker to arrange a failing ticket-write path.

Affected versions

Mbed TLS 2.0.0 through 2.28.10, Mbed TLS 3.0.0 through 3.6.6, and Mbed TLS 4.0.0 through 4.1.0 are affected when TLS 1.2 session tickets are enabled and ticket generation can fail as described above.

Mbed TLS 1.3.22 and earlier are not affected. Although those releases contain TLS 1.2 NewSessionTicket code, they do not contain the callback path with an uninitialized lifetime variable.

Work-around

Applications can avoid the issue by disabling TLS 1.2 session tickets, disabling TLS 1.2 server support, or ensuring that their ticket-write callback always initializes both output parameters before returning, including on failure paths.

Applications are not vulnerable if they do not use TLS 1.2 server-side session tickets, if their ticket-write callback cannot fail, or if the callback always sets the ticket length and lifetime outputs to defined values before returning an error.

Resolution

Affected users should upgrade to Mbed TLS 3.6.7 or a later 3.6.x version, Mbed TLS 4.1.1 or a later 4.1.x version, Mbed TLS 4.2.0, or a later maintained release containing the fix. The fix initializes the ticket length and lifetime variables to zero before calling the ticket-write callback, so the failure path sends an empty ticket with a zero lifetime instead of serializing uninitialized stack data.

Fix commits

We recommend that users upgrade to a release including the fix. However, if you are maintaining a branch with backported bug fixes, here are the most relevant commits. Please note that these commits may not apply cleanly to older versions of the library, and may not provide a complete fix even if they do apply. The Mbed TLS development team does not provide support outside of maintained branches.

Branch

Mbed TLS 3.6.x

TF-PSA-Crypto 1.1.x

TF-PSA-Crypto 1.x (x>1)

Mbed TLS 4.1.x

Mbed TLS 4.x (x>1)

Basic fix

99ccd257e2d6c5fc53bc970e3e533a90c363f8e1 548ed19f707565db5fb4c2487edd7ae1bea50199

N/A

N/A

56e314728bd5c3fcb41a646972c2159403d733ac dd5a8501c0e58acfff9ec551cb1b15b69a24591f

a5c2e02198433b4808c500bd8f5e77bd07d82bf1 38185e2308d201d7dfd05aa0032636440bdd1bfa

With tests and documentation

02451dcc658d397381b16a574c2c68d441e92b33^..6bf3204e64f720a54b8d22a76dde9ec609154ce8

N/A

N/A

75cfc5c0b9cbd6b820fd45642d9c37aaf6beb7a5^..f2a1306c867f6c3be7d7e04af39772afbd46b57a

f5675fd06442dbf9d11dfdd78a5d99657de8b12f^..273c9b38b78da06244bd685dd7073e599f10eb9e