Skip to main content

Zephyr RTOS CVE-2026-1677

| EUVDEUVD-2026-29033 MEDIUM
Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') (CWE-757)
2026-05-11 vulnerabilities@zephyrproject.org
5.3
CVSS 3.1 · Vendor: zephyrproject
Share

Severity by source

Vendor (zephyrproject) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from Vendor (zephyrproject) · only source for this CVE.

CVSS VectorVendor: zephyrproject

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 11, 2026 - 06:30 vuln.today
CVE Published
May 11, 2026 - 06:16 nvd
MEDIUM 5.3

DescriptionCVE.org

Zephyr sockets created with IPPROTO_TLS_1_3 can still negotiate a TLS 1.2 connection when both TLS versions are enabled in Kconfig, because the socket-level protocol selection is not propagated to mbedTLS (e.g. via mbedtls_ssl_conf_min_tls_version). The ClientHello advertises both versions and the peer can establish TLS 1.2, so applications that assumed IPPROTO_TLS_1_3 enforces TLS 1.3 may silently use TLS 1.2 and remain exposed to TLS 1.2-specific weaknesses. As a workaround, the TLS_CIPHERSUITE_LIST socket option can be restricted to TLS 1.3-only cipher suites.

AnalysisAI

Zephyr RTOS sockets created with IPPROTO_TLS_1_3 can negotiate TLS 1.2 connections when both TLS versions are enabled in Kconfig, because socket-level protocol selection is not propagated to mbedTLS's minimum version enforcement. Applications explicitly requesting TLS 1.3 may silently fall back to TLS 1.2, exposing them to known TLS 1.2 weaknesses such as POODLE or truncation attacks. Remote unauthenticated attackers can exploit this via network-level protocol downgrade during the TLS handshake.

Technical ContextAI

Zephyr RTOS uses mbedTLS as its underlying TLS/SSL library. When an application creates a socket with IPPROTO_TLS_1_3, Zephyr's socket abstraction layer should enforce TLS 1.3-only negotiation by calling mbedTLS's mbedtls_ssl_conf_min_tls_version() function to set the minimum version to TLS 1.3. However, this propagation does not occur. Instead, the mbedTLS configuration retains its Kconfig-specified defaults, which may include both TLS 1.2 and TLS 1.3. During the TLS handshake, the ClientHello advertises both supported versions, allowing a peer (or attacker) to select TLS 1.2. This violates the application's explicit protocol-level intent and falls under CWE-757 (Selection of Less-Secure Algorithm Before Stronger One). The root cause is incomplete socket option handling in Zephyr's TLS socket implementation.

RemediationAI

Apply the upstream patch from the Zephyr project repository that propagates socket-level IPPROTO_TLS_1_3 selection to mbedTLS by calling mbedtls_ssl_conf_min_tls_version(conf, MBEDTLS_SSL_VERSION_TLS1_3) before handshake initiation. Check the Zephyr security advisory GHSA-23r2-m5wx-4rvq for patched release versions. As an immediate workaround without patching, applications can restrict the TLS_CIPHERSUITE_LIST socket option to TLS 1.3-only cipher suites using setsockopt(), which forces the peer to negotiate TLS 1.3 or fail the handshake. This workaround has no functional side effects but requires explicit application code changes for each affected socket. Alternatively, disable TLS 1.2 at build time via Kconfig (CONFIG_MBEDTLS_SSL_PROTO_TLS1_2=n) if the deployment does not require backward compatibility; this ensures downgrade is cryptographically impossible. Prioritize patching over Kconfig changes to avoid build-time rigidity in production deployments.

More in Zephyr

View all
CVE-2023-4260 CRITICAL POC
10.0 Sep 27

Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),

CVE-2023-5055 CRITICAL POC
9.8 Nov 21

Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2023-4257 CRITICAL POC
9.8 Oct 13

Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS

CVE-2023-3725 CRITICAL POC
9.8 Oct 06

Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner

CVE-2021-3323 CRITICAL POC
9.8 Oct 12

Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2021-3625 CRITICAL POC
9.8 Oct 05

Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2021-3319 CRITICAL POC
9.8 Oct 05

DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul

CVE-2018-1000800 CRITICAL POC
9.8 Sep 06

zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(

CVE-2023-4264 CRITICAL POC
9.6 Sep 27

Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul

CVE-2026-1678 CRITICAL POC
9.4 Mar 05

Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.

CVE-2024-1638 CRITICAL POC
9.1 Feb 19

The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte

CVE-2023-5753 HIGH POC
8.8 Oct 25

Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c

Share

CVE-2026-1677 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy