TLS 1.3 early data integrity failure due to buffered plaintext across key change (CVE-2026-TODO)

Title

TLS 1.3 early data integrity failure due to buffered plaintext across key change

CVE

CVE-2026-TODO

Date

7th of July, 2026

Affects

Mbed TLS 3.6.0 to 3.6.6; Mbed TLS 4.0.0 to 4.1.0

Not affected

All versions before Mbed TLS 3.6.0; Mbed TLS 3.6.7 and later 3.6.x versions; Mbed TLS 4.1.1 and later 4.1.x versions; Mbed TLS 4.2.0 and later 4.x versions

Impact

A network attacker capable of modifying traffic between a TLS 1.3 client and server can cause accepted TLS 1.3 early data to be silently discarded while the handshake completes successfully.

Severity

MEDIUM

Credits

Ben Smyth, https://bensmyth.com

Vulnerability

TLS 1.3 requires handshake messages immediately preceding a key change to align with record boundaries. In affected versions, Mbed TLS may retain and subsequently process trailing bytes that follow a ClientHello message within the same TLS record.

An attacker capable of modifying traffic between a TLS 1.3 client and server can exploit this behavior by appending a forged EndOfEarlyData message to a ClientHello record and suppressing the client’s genuine early-data records. The server may process the forged message, transition to handshake traffic keys, and complete the TLS handshake successfully.

As a result, TLS 1.3 early data (0-RTT) sent by the client can be silently discarded while both endpoints complete the handshake and report successful establishment of the connection.

The attack requires:

  • TLS 1.3 to be enabled.

  • Server-side support for TLS 1.3 early data (0-RTT).

  • An attacker capable of modifying traffic between the client and server.

Impact

A successful attack can cause 0-RTT application data sent by the client to be silently discarded while the TLS handshake succeeds and the client receives an indication that the early data was accepted.

Applications relying on TLS 1.3 early data for latency-sensitive operations may incorrectly assume that requests or commands were processed when they were never delivered to the server.

The vulnerability affects the integrity of early-data delivery. It does not enable disclosure of encrypted early data or modification of authenticated post-handshake application data.

Affected versions

Mbed TLS 3.6.0 to 3.6.6 included; Mbed TLS 4.0.0 to 4.1.0 included.

Work-around

Users can mitigate the issue by:

  • Not enabling TLS 1.3 early data (MBEDTLS_SSL_EARLY_DATA), disabled by default.

  • Avoiding application reliance on successful delivery of 0-RTT data until an updated release is deployed.

Applications that do not enable TLS 1.3 early data are not vulnerable to the reported integrity impact.

Resolution

Affected users should upgrade to Mbed TLS 3.6.7 or a later 3.6.x version, or to Mbed TLS 4.1.1 or a later 4.1.x version, or to Mbed TLS 4.2 or a later 4.x version.

Fix commits

We recommend that users upgrade to a release including the fix. However, if you are maintaining a branch with backported bug fixes, here are the most relevant commits. Please note that these commits may not apply cleanly to older versions of the library, and may not provide a complete fix even if they do apply. The TF-PSA-Crypto and Mbed TLS development team does not provide support outside of maintained branches.

Branch

Mbed TLS 3.6.x

Mbed TLS 4.1.x

Mbed TLS 4.x (x>1)

Basic fix (5 commits)

27c489be620005ae5ba935b1cc717ca6636efa79 835ffb3a7c75e5d44df2608b42c7b5b0c6bbfbfb 8f1e330f20f9abcea9547c8dc113a8695571f9e5 b71ec46f4f129cc583cffc791ba9a55a8a22b8e3 26eb6a36cf4e753a6550b75bbf566a936b6139f2

f17c5ff90d625f6b793acf97c2d9ee0b811a483c 7dc69f331fb19246b1b463feea97d79f709b6342 1235722aa12df370f057540270d99f112b038e8f 0fe502312d2fb2664985886db19693557de7e669 45d892ea3d69d2996937503e269c2ec04a2e7557

3861588b47d045afcc66d9ba8b73b8217e87d2ce 0c9d3d4a0fb50216993d4142335a2888929bcd72 6c557a70f6a2992282e5a342714be4c89130b8f4 74b9ab200820537b8f5cf8e55bd4f42d912a4c78 b188f399f926af64d06fdb842cbbceed2209f6a8

With tests and documentation

46069c6127b75ba786c9001d5a8ad84f82d27576..26eb6a36cf4e753a6550b75bbf566a936b6139f2

5aac408d2a5dbb25357cd5ac49b60e9c18f54ab9..45d892ea3d69d2996937503e269c2ec04a2e7557

f74ef9b3ab885d9956b37ffd95065779563c69ca..b188f399f926af64d06fdb842cbbceed2209f6a8