X.509 CA bit forgery via invalid basicConstraints extension (CVE-2026-49300)

Title

X.509 CA bit forgery via invalid basicConstraints extension

CVE

CVE-2026-49300

Date

7th of July, 2026

Affects

all versions of Mbed TLS up to 3.6.6; Mbed TLS 4.0.0 to 4.1.0

Not affected

Mbed TLS 3.6.7 and later 3.6.x versions; Mbed TLS 4.1.1 and later 4.1.x versions; Mbed TLS 4.2.0 and later 4.x versions

Impact

end-entity certificates may be read as CA certificates

Severity

HIGH

Credits

Mohammad Seet (mhdsait101); Pablo Ruiz García; NVIDIA Project Vanessa

Vulnerability

Due to two flaws in how Mbed TLS parses X.509 certificates, some technically invalid certificates are parsed as having the CA bit set, while many other X.509 parsers accept these certificates as end-entity (non-CA) certificates.

Unchecked sequence boundary

According to RFC 5280 §4.1, each extension in an X.509 certificate is given by an OID, an optional critical flag, and the extension value inside an ASN.1 OCTET STRING. The extension value is itself formatted according to ASN.1 rules. In a basicConstraints extension, the value is a SEQUENCE.

Mbed TLS accepts certificates that are syntactically invalid, where the content of the basicConstraints OCTET STRING is a truncated SEQUENCE, but subsequent bytes of the certificate form a valid SEQUENCE. As a consequence, it is possible to craft an invalid certificate where Mbed TLS parses basicConstraints as a SEQUENCE containing the boolean cA:TRUE, while many major X.509 implementations ignore the invalid extension (and the cA flag defaults to FALSE).

Invalid CA flag type

According to RFC 5280 §4.2.1.9, the basicConstraints extension in an X.509 certificate is an ASN.1 SEQUENCE which contains an optional boolean (cA flag, defaulting to FALSE) followed by an optional INTEGER (maximum path length). Certificates where the cA flag is absent but the maximum path length is present are syntactically valid, but certificate authorities must not emit such certificates.

For historical reasons, Mbed TLS accepts a variant of the standard encoding where the CA value is an INTEGER. Thus it interprets a basicConstraints extension containing only a nonzero INTEGER as a CA certificate, whereas correct X.509 implementations parse it as having the BOOLEAN cA field omitted (defaulting to FALSE).

Impact

Each flaw causes some maliciously crafted X.509 certificates to be accepted as CA certificates by Mbed TLS, but as end-entity certificates by most other X.509 implementations.

This is a problem in the following scenario. Suppose a device can be customized with trusted roots for X.509 certificate validation, with an off-device validator that uses a different X.509 implementation. Suppose further that this process allows some users to upload an end-entity certificate for a specific name, but only authenticated administrators may upload a CA certificate.

A malicious user could upload a specially crafted certificate that looks like an end-entity certificate to the off-device validator, but is interpreted as a CA certificate on the device using Mbed TLS. This would allow the user to then authenticate with an arbitrary name, and not just the specific name submitted to the validator.

Affected versions

All versions of Mbed TLS up to 3.6.6 are affected. All versions of Mbed TLS from 4.0.0 to 4.1.0 are affected.

Work-around

The vulnerabilities rely on the same certificate being interpreted differently by different TLS implementations. If Mbed TLS is used both to determine which certificates may be registered as trusted roots and to validate the certificate chain, there is no inconsistency.

The vulnerabilities only affect invalid certificates that certificate authorities must not emit. Therefore applications are only affected if they accept certificates directly from untrusted users. Applications are not affected if they require users to submit a certificate signing request (CSR) to a certificate authority (CA), and the application only accepts certificates from a trusted CA.

Resolution

Affected users should upgrade to Mbed TLS 3.6.7 or a later 3.6.x version, or to Mbed TLS 4.1.1 or a later 4.1.x version, or to Mbed TLS 4.2.0 or a later 4.x version.

Fix commits

We recommend that users upgrade to a release including the fix. However, if you are maintaining a branch with backported bug fixes, here are the most relevant commits. Please note that these commits may not apply cleanly to older versions of the library, and may not provide a complete fix even if they do apply. The TF-PSA-Crypto and Mbed TLS development team does not provide support outside of maintained branches.

Branch

Mbed TLS 3.6.x

Mbed TLS 4.1.x

Mbed TLS 4.x (x>1)

Basic fix #1

07f45b87681c1a0680c260089d3e6349b25fdd08

9007fc4b9be08da1d494f8fa4a5a09180291956b

6c8ae1ea48ffa29d5401171244737eb0bc7f4d9c

Basic fix #2

4fb9c9e439fd1e7e44697d23d50f00b4642fbe08

f6afd20e719b6b3a8dcbf28dea3a0f736e9f02a9

5cc6fb22c63ecf946920bce3d5185baf03ab9559

Both fixes with tests

aecc26ac7c523e741dd62d94890278326fe7c230..abb6bcd35400128d7d529405369e7592eac73c16

b2e36d7d7aa9968087eac0a40457783c61c90720..49b13b34b332d997943f7a09dc846a0fa14a5a30

4a1d150cdf441d0b1d984ea825a21d5770a9f94a..e31c644041e1bdc021e1c28eb723cb770b4d31b0