Out-of-bounds read when parsing a zero-length ECC public key (CVE-2026-50583)
Title |
Out-of-bounds read when parsing a zero-length ECC public key |
|---|---|
CVE |
CVE-2026-50583 |
Date |
7th of July, 2026 |
Affects |
All versions of Mbed TLS from 3.5.0 to 3.6.6 with driver-only ECC; all versions of Mbed TLS from 4.0.0 to 4.1.0; all versions of TF-PSA-Crypto up to 1.1.0 |
Not affected |
Mbed TLS up to 3.4.1; Mbed TLS 3.5.0 through 3.6.6 with built-in ECC; Mbed TLS 3.6.7 and later 3.6.x versions; Mbed TLS 4.1.1 and later 4.1.x versions; Mbed TLS 4.2.0 and later 4.x versions; TF-PSA-Crypto 1.2.0 and later 1.x versions |
Impact |
Out-of-bounds read while parsing malformed ECC key material, potentially causing a crash |
Severity |
LOW |
Vulnerability
When parsing malformed externally supplied ECC key material, Mbed TLS or
TF-PSA-Crypto can read one byte past the supplied public-key buffer. The
malformed input can be an ASN.1 SubjectPublicKeyInfo whose ECC public-key
BIT STRING contains no ECPoint payload, or the optional publicKey field of a
SEC1 ECPrivateKey.
In Mbed TLS, this issue can be reached through APIs that parse ECC public keys,
EC private keys, certificates or CSRs, including
mbedtls_pk_parse_public_key(), mbedtls_pk_parse_key(),
mbedtls_x509_crt_parse() and mbedtls_x509_csr_parse().
Internally, the missing length check is in mbedtls_pk_ecc_set_pubkey(), which
inspects the first byte of the encoded public key before validating that the
supplied public-key buffer is non-empty.
In Mbed TLS 3.x, this code path is only used when MBEDTLS_PK_USE_PSA_EC_DATA
is defined. Builds using the legacy ECP-backed representation are not affected.
Mbed TLS 4.x is affected through its TF-PSA-Crypto submodule.
Impact
Out-of-bounds read while parsing malformed ECC key material, potentially causing a crash.
Affected versions
All versions of TF-PSA-Crypto up to 1.1.0 are affected.
All versions of Mbed TLS from 3.5.0 to 3.6.6 are affected in configurations where
MBEDTLS_USE_PSA_CRYPTO and the PK module are enabled, PSA supports ECC through
a driver, and built-in ECC support is disabled.
All versions of Mbed TLS from 4.0.0 to 4.1.0 are affected.
Work-around
Applications using vulnerable versions should avoid parsing ECC public keys, certificates, CSRs or EC private keys unless the input has first been validated to reject zero-length ECC public-key encodings.
Resolution
Affected users should upgrade to TF-PSA-Crypto 1.1.1 or a later 1.1.x version, or to TF-PSA-Crypto 1.2.0 or a later 1.x version.
Affected users should upgrade to Mbed TLS 3.6.7 or a later 3.6.x version, or to Mbed TLS 4.1.1 or a later 4.1.x version, or to Mbed TLS 4.2.0 or a later 4.x version.
Fix commits
We recommend that users upgrade to a release including the fix. However, if you are maintaining a branch with backported bug fixes, here are the most relevant commits. Please note that these commits may not apply cleanly to older versions of the library, and may not provide a complete fix even if they do apply. The TF-PSA-Crypto and Mbed TLS development team does not provide support outside of maintained branches.
Branch |
Mbed TLS 3.6.x |
TF-PSA-Crypto 1.1.x |
TF-PSA-Crypto 1.x (x>1) |
Mbed TLS 4.1.x |
Mbed TLS 4.x (x>1) |
|---|---|---|---|---|---|
Basic fix |
0e2d7037db4048dbf1c194508c07384a818261d5 |
c99519080302cbcf19ad61d57c1d6fc614608336 |
e7183dbf9789834f89a5ed41f2156dcf34f130c3 |
N/A |
N/A |
With tests and documentation |
aecc26ac7c523e741dd62d94890278326fe7c230..3208173d3d6728b6d1eb25a1a448067c781cbb69 |
de89cfc02ecb5a4ae67da155ebace3eff83555b2..32a2f6bb62dd3837951ccd546cb62638d56cbf61 |
feb70754b0a8d79f46d2c5f3eb8348c2212918c8..718f15d851316cbed7242b3a07b31c1712c51ef1 |
N/A |
N/A |