CVE-2026-1677
Received Received - Intake
TLS 1.2 Negotiation in Zephyr Sockets with mbedTLS

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: Zephyr Project

Description
Zephyr sockets created with `IPPROTO_TLS_1_3` can still negotiate a TLS 1.2 connection when both TLS versions are enabled in Kconfig, because the socket-level protocol selection is not propagated to mbedTLS (e.g. via `mbedtls_ssl_conf_min_tls_version`). The ClientHello advertises both versions and the peer can establish TLS 1.2, so applications that assumed `IPPROTO_TLS_1_3` enforces TLS 1.3 may silently use TLS 1.2 and remain exposed to TLS 1.2-specific weaknesses. As a workaround, the `TLS_CIPHERSUITE_LIST` socket option can be restricted to TLS 1.3-only cipher suites.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-20
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2026-1677
EUVD
EUVD-2026-29033
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zephyrproject zephyr to 4.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-757 A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-1677 is a vulnerability in the Zephyr RTOS where sockets created with the protocol `IPPROTO_TLS_1_3` can still negotiate a TLS 1.2 connection if both TLS 1.2 and TLS 1.3 are enabled. This happens because the socket-level protocol selection is not properly propagated to the underlying mbedTLS library, which means the ClientHello message advertises support for both TLS 1.2 and TLS 1.3. As a result, the peer can establish a TLS 1.2 connection even though the application expects TLS 1.3 only.

This leads to a situation where applications assuming they are using the more secure TLS 1.3 may silently fall back to TLS 1.2, exposing them to known weaknesses specific to TLS 1.2. The vulnerability arises because the minimum TLS version is not enforced via mbedTLS configuration functions, nor is the negotiated TLS version verified after connection establishment.

A workaround is to restrict the cipher suites to TLS 1.3-only using the `TLS_CIPHERSUITE_LIST` socket option. Proposed fixes include enforcing TLS 1.3 restrictions during socket creation or introducing new socket protocols to clarify version requirements.

Impact Analysis

This vulnerability can impact you by causing your application to use TLS 1.2 connections when you expect TLS 1.3, potentially exposing your communications to the known weaknesses of TLS 1.2. Since TLS 1.2 has documented vulnerabilities under certain conditions, this silent fallback can reduce the security of your data in transit.

Attackers could exploit this by targeting TLS 1.2-specific weaknesses, potentially compromising confidentiality or integrity of the data transmitted over the network.

Because the vulnerability does not require privileges or user interaction and can be exploited remotely, it has a moderate severity score (CVSS 5.3).

Detection Guidance

This vulnerability involves Zephyr sockets created with IPPROTO_TLS_1_3 still negotiating TLS 1.2 connections when both TLS versions are enabled. Detection would involve monitoring TLS connections to verify the negotiated TLS version.

You can detect this by capturing and analyzing TLS handshake traffic, specifically the ClientHello and ServerHello messages, to check if TLS 1.2 connections are being established despite the socket being configured for TLS 1.3.

Commands to detect this might include using network packet capture tools such as tcpdump or Wireshark to filter TLS traffic and inspect the negotiated TLS version.

  • tcpdump -i <interface> -w capture.pcap 'tcp port 443'
  • Use Wireshark to open capture.pcap and filter with 'ssl.record.version == 0x0303' for TLS 1.2 or 'ssl.record.version == 0x0304' for TLS 1.3 to identify the actual negotiated version.

Alternatively, if you have access to the Zephyr system logs or debugging output, you can check if the socket-level protocol selection is correctly propagated or if the negotiated TLS version is logged.

Mitigation Strategies

An immediate workaround is to restrict the TLS cipher suites to TLS 1.3-only cipher suites using the TLS_CIPHERSUITE_LIST socket option. This prevents the negotiation of TLS 1.2 connections even if both versions are enabled.

Additionally, ensure that your application or system enforces TLS 1.3 restrictions during socket creation, or consider using new socket protocols like IPPROTO_TLS_1_X_ONLY if available.

Monitor for updates or patches from the Zephyr project, as no patched versions were available as of the advisory date.

Compliance Impact

This vulnerability allows TLS 1.3 sockets to negotiate TLS 1.2 connections, which may expose applications to TLS 1.2-specific weaknesses. Since TLS 1.2 is considered less secure than TLS 1.3, this could undermine the security assumptions of applications relying on TLS 1.3 for data protection.

Standards and regulations such as GDPR and HIPAA require appropriate technical measures to protect sensitive data in transit. The silent fallback to TLS 1.2 could lead to weaker encryption and potentially increase the risk of data exposure or interception, thereby affecting compliance with these regulations.

Organizations relying on Zephyr RTOS with this vulnerability might not meet the strict encryption requirements mandated by such standards unless they apply the recommended workaround or patches to enforce TLS 1.3-only connections.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1677. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart