TLS 1.3 client accepts HelloRetryRequest selecting an unadvertised group (CVE-2026-25832)

Title

TLS 1.3 client accepts HelloRetryRequest selecting an unadvertised group

CVE

CVE-2026-25832

Date

7th of July, 2026

Affects

Mbed TLS 3.5.0 through 3.6.6, all Mbed TLS 4 versions up to 4.1.1

Not affected

all versions up to and including 3.4.1, Mbed TLS 3.6.7 and later, and Mbed TLS 4.1.2 and later.

Impact

TLS 1.3 client group policy bypass; Limited denial of service in some configurations

Severity

LOW

Credits

Din Asotic / Xiangdong Li, Beijing University of Posts and Telecommunications (BUPT) / Bin Luo, University of Electronic Science and Technology of China (UESTC)

Vulnerability

When an Mbed TLS client processes a TLS 1.3 HelloRetryRequest, it is required to check that the selected_group in the server’s key_share extension was present in the supported_groups extension of the original ClientHello. If this check fails, RFC 8446 requires the client to abort the handshake with an illegal_parameter alert.

Affected versions did not correctly perform this validation.

A misbehaving server could use HelloRetryRequest to nudge the client into bypassing its security policy by selecting a cryptographic group that the client did not advertise.

Impact

The impact is low: a malicious/misbehaving server can bypass a TLS 1.3 client’s configured group policy, or cause handshake failure when selecting an unacceptable group. This does not by itself compromise session keys or certificates.

Affected versions

All Mbed TLS 3.5 versions, all 3.6 versions up to 3.6.6, all Mbed TLS 4 versions up to 4.1.1.

Applications are affected when all of the following are true:

  • TLS 1.3 client support is enabled.

  • A TLS 1.3 ephemeral or PSK-ephemeral key exchange mode is enabled.

  • The application relies on mbedtls_ssl_conf_groups() or equivalent configuration to restrict the groups that the client may offer.

  • The client connects to a malicious or compromised server that sends a HelloRetryRequest selecting a group outside the client’s originally advertised supported_groups list.

Work-around

Where upgrading is not immediately possible, applications can avoid exposure by disabling TLS 1.3 client connections, or by only connecting TLS 1.3 clients to trusted servers that cannot send malicious HelloRetryRequest messages.

Applications are not affected if they do not enable TLS 1.3 client support, use TLS 1.3 PSK-only key exchange, or do not rely on the TLS 1.3 supported group list as a security or compliance boundary.

Resolution

Affected users of the 3.6 LTS branch should upgrade to 3.6.7 or later. Affected users of the 4.x series should upgrade to 4.1.2 or later.

Fix commits

We recommend that users upgrade to a release including the fix. However, if you are maintaining a branch with backported bug fixes, here are the most relevant commits. Please note that these commits may not apply cleanly to older versions of the library, and may not provide a complete fix even if they do apply. The Mbed TLS development team does not provide support outside of maintained branches.

Branch

Mbed TLS 3.6.x

TF-PSA-Crypto 1.1.x

TF-PSA-Crypto 1.x (x>1)

Mbed TLS 4.1.x

Mbed TLS 4.x (x>1)

Basic fix

55ccd932658b933f224cc0384ab5a5197e5680e2

Not applicable

Not applicable

cec2cef6b5ce9ae3cb2bbcd43f3ac8c06f1f9508

902762039334c91813ab9e9ba8ccef5356e819e4

With tests and documentation

aecc26ac7c..8c458b8cca4c4a55142efd65348e93595ec71723

Not applicable

Not applicable

b2e36d7d7a..e16f0e0b014be310f423de5e52109cd0712db6f7

cb4d172ce0..e2a6f05640528b1eff715824f3d931b81e7c911d