CVE-2026-1677
TLS 1.2 Negotiation in Zephyr Sockets with mbedTLS
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: Zephyr Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zephyrproject | zephyr | to 4.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-757 | A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1677 is a vulnerability in the Zephyr RTOS where sockets created with the protocol `IPPROTO_TLS_1_3` can still negotiate a TLS 1.2 connection if both TLS 1.2 and TLS 1.3 are enabled. This happens because the socket-level protocol selection is not properly propagated to the underlying mbedTLS library, which means the ClientHello message advertises support for both TLS 1.2 and TLS 1.3. As a result, the peer can establish a TLS 1.2 connection even though the application expects TLS 1.3 only.
This leads to a situation where applications assuming they are using the more secure TLS 1.3 may silently fall back to TLS 1.2, exposing them to known weaknesses specific to TLS 1.2. The vulnerability arises because the minimum TLS version is not enforced via mbedTLS configuration functions, nor is the negotiated TLS version verified after connection establishment.
A workaround is to restrict the cipher suites to TLS 1.3-only using the `TLS_CIPHERSUITE_LIST` socket option. Proposed fixes include enforcing TLS 1.3 restrictions during socket creation or introducing new socket protocols to clarify version requirements.
How can this vulnerability impact me? :
This vulnerability can impact you by causing your application to use TLS 1.2 connections when you expect TLS 1.3, potentially exposing your communications to the known weaknesses of TLS 1.2. Since TLS 1.2 has documented vulnerabilities under certain conditions, this silent fallback can reduce the security of your data in transit.
Attackers could exploit this by targeting TLS 1.2-specific weaknesses, potentially compromising confidentiality or integrity of the data transmitted over the network.
Because the vulnerability does not require privileges or user interaction and can be exploited remotely, it has a moderate severity score (CVSS 5.3).
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Zephyr sockets created with IPPROTO_TLS_1_3 still negotiating TLS 1.2 connections when both TLS versions are enabled. Detection would involve monitoring TLS connections to verify the negotiated TLS version.
You can detect this by capturing and analyzing TLS handshake traffic, specifically the ClientHello and ServerHello messages, to check if TLS 1.2 connections are being established despite the socket being configured for TLS 1.3.
Commands to detect this might include using network packet capture tools such as tcpdump or Wireshark to filter TLS traffic and inspect the negotiated TLS version.
- tcpdump -i <interface> -w capture.pcap 'tcp port 443'
- Use Wireshark to open capture.pcap and filter with 'ssl.record.version == 0x0303' for TLS 1.2 or 'ssl.record.version == 0x0304' for TLS 1.3 to identify the actual negotiated version.
Alternatively, if you have access to the Zephyr system logs or debugging output, you can check if the socket-level protocol selection is correctly propagated or if the negotiated TLS version is logged.
What immediate steps should I take to mitigate this vulnerability?
An immediate workaround is to restrict the TLS cipher suites to TLS 1.3-only cipher suites using the TLS_CIPHERSUITE_LIST socket option. This prevents the negotiation of TLS 1.2 connections even if both versions are enabled.
Additionally, ensure that your application or system enforces TLS 1.3 restrictions during socket creation, or consider using new socket protocols like IPPROTO_TLS_1_X_ONLY if available.
Monitor for updates or patches from the Zephyr project, as no patched versions were available as of the advisory date.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows TLS 1.3 sockets to negotiate TLS 1.2 connections, which may expose applications to TLS 1.2-specific weaknesses. Since TLS 1.2 is considered less secure than TLS 1.3, this could undermine the security assumptions of applications relying on TLS 1.3 for data protection.
Standards and regulations such as GDPR and HIPAA require appropriate technical measures to protect sensitive data in transit. The silent fallback to TLS 1.2 could lead to weaker encryption and potentially increase the risk of data exposure or interception, thereby affecting compliance with these regulations.
Organizations relying on Zephyr RTOS with this vulnerability might not meet the strict encryption requirements mandated by such standards unless they apply the recommended workaround or patches to enforce TLS 1.3-only connections.