SB2026071347 - Multiple vulnerabilities in mbed TLS
Published: July 13, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Buffer overflow (CVE-ID: CVE-2026-50584)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information and forge messages.
The vulnerability exists due to improper restriction of operations within the bounds of a memory buffer in ChaCha20, ChaCha20-Poly1305, and PSA AEAD APIs when processing more than 256 GB of data with the same key and nonce or when using a starting counter and input length that cross the 32-bit counter range. A remote attacker can provide specially crafted oversized input or trigger counter wraparound to disclose sensitive information and forge messages.
Mbed TLS TLS protocol code is not affected because it does not expose a way to exceed the ChaCha20-Poly1305 record limits under a single key and nonce.
2) Information Exposure Through Timing Discrepancy (CVE-ID: CVE-2026-54435)
CWE-ID: CWE-208 - Information Exposure Through Timing Discrepancy
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local privileged user to recover long-term ECC keys.
The vulnerability exists due to observable timing side-channel behavior in optimized modular reduction routines for elliptic curve operations when performing repeated scalar multiplication with the same secret scalar. A local privileged user can obtain precise execution traces to recover long-term ECC keys.
Affected operations include deterministic ECDSA signature generation, derivation of the public key when loading a private key, and deterministic key generation.
3) Input validation error (CVE-ID: CVE-2026-54434)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to force the ECDH shared secret to a fixed value.
The vulnerability exists due to improper input validation in the built-in Curve25519 (X25519) ECDH implementation when performing key agreement with PSA_ALG_ECDH. A remote attacker can supply input that results in an all-zero shared secret to force the ECDH shared secret to a fixed value.
Only builds with MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED are vulnerable, and the issue applies to protocols that require contributory behaviour.
Remediation
Install update from vendor's website.
References
- https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-07-chacha20-counter-overflow-keystream-reuse/
- https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-07-chacha20-counter-overflow/
- https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-07-ecc-optimized-modp-side-channel/
- https://github.com/Mbed-TLS/TF-PSA-Crypto/blob/development/SECURITY.md#physical-attacks
- https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-07-everest-low-order-input-validation/
- https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-07-1/