TLS 1.3 Vulnerability in Zephyr Sockets by Zephyr Project
CVE-2026-1677

5.3MEDIUM

Key Information:

Vendor: Zephyrproject-rtos
Status: Zephyr
Vendor: CVE Published:; 11 May 2026

🔔 Create Zephyrproject-rtos Vulnerability Alert

What is CVE-2026-1677?

The vulnerability in Zephyr sockets allows connections using IPPROTO_TLS_1_3 to negotiate a TLS 1.2 connection due to incomplete enforcement of minimum TLS version settings. This issue occurs when both TLS versions are enabled in Kconfig, which results in socket control not being effectively passed to mbedTLS. Consequently, applications relying on IPPROTO_TLS_1_3 to enforce TLS 1.3 may inadvertently fall back to TLS 1.2, exposing them to known vulnerabilities inherent to the older protocol. Users are advised to configure the TLS_CIPHERSUITE_LIST to prioritize TLS 1.3-only cipher suites as a mitigating measure.

Affected Version(s)

Zephyr * <= 4.3

References

https://github.com/zephyrproject-rtos/zephyr/security/adv...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
Jan 30, 2026

CVE-2026-1677 Data

JSON