Mbed TLS CVE-2026-34873 Client Impersonation via TLS 1.3 Session Resumption

CVE-2026-34873 Vulnerability Summary Vulnerability Overview Client impersonation while resuming a TLS 1.3 session When an Mbed TLS server supporting both TLS 1.2 and TLS 1.3 receives a request to resume a TLS 1.3 session using a ticket and responds with a HelloRetryRequest, if the subsequent ClientHello negotiates TLS 1.2 (e.g., does not include supported extensions), the server incorrectly proceeds with the TLS 1.2 session resumption using an all-zero master secret. A man-in-the-middle attacker can intercept the HelloRetryRequest and reply with a ClientHello that negotiates TLS 1.2, thereby completing a handshake originally initiated using a TLS 1.3 ticket. Affected Scope Attack Conditions (must all be met): Server supports both TLS 1.2 and TLS 1.3 Server is configured to authenticate clients Server issues TLS 1.3 session tickets to authenticated clients for subsequent session resumption Attack Consequences: Bypass of client authentication mechanisms configured on Mbed TLS servers Attacker can impersonate legitimate clients If the application encodes additional application-level information in the ticket via and callbacks (such as authentication status, access permissions), the attacker may inherit the same privileges Remediation Solutions 1. Upgrade Version (Recommended) 3.6 LTS branch users: Upgrade to 3.6.6 or later 4.x series users: Upgrade to 4.1.0 or later 2. Mitigation Measures (if immediate upgrade is not possible) Configuration Option 1: Disable "PSK with (EC)DHE" key establishment Disable at compile time: Disable at runtime via API: , enabling only "PSK-only" mode ⚠️ Note: This mode does not provide forward secrecy Configuration Option 2: Disable session ticket generation Disable at compile time: Disable at runtime via API: Set to 0, causing the server to send zero NewSessionTicket messages after handshake completion Additional Condition: The issue is not exploitable if the server does not respond with HelloRetryRequest when an authenticated client attempts to resume a TLS 1.3 session using a ticket (typically when the server always supports at least one key share group in the ClientHello) Fix Commits Mbed TLS 3.6.x branch: --- Note: No POC code or exploit code is included in this page.

Goal Reached Thanks to every supporter — we hit 100%!

Mbed TLS CVE-2026-34873 Client Impersonation via TLS 1.3 Session Resumption