ByteOS Network

CVE Vulnerability Details :

CVE-2026-1677

PUBLISHED

More Info Official Page

Assigner-zephyr

Assigner Org ID-e2e69745-5e70-4e92-8431-deb5529a81ad

Published At-11 May, 2026 | 05:52

Updated At-11 May, 2026 | 05:52

▼CVE Numbering Authority (CNA)

net: TLS 1.2 connections allowed on TLS 1.3 sockets

Zephyr sockets created with `IPPROTO_TLS_1_3` can still negotiate a TLS 1.2 connection when both TLS versions are enabled in Kconfig, because the socket-level protocol selection is not propagated to mbedTLS (e.g. via `mbedtls_ssl_conf_min_tls_version`). The ClientHello advertises both versions and the peer can establish TLS 1.2, so applications that assumed `IPPROTO_TLS_1_3` enforces TLS 1.3 may silently use TLS 1.2 and remain exposed to TLS 1.2-specific weaknesses. As a workaround, the `TLS_CIPHERSUITE_LIST` socket option can be restricted to TLS 1.3-only cipher suites.

Affected Products

Vendor

Zephyr Project

Product

Zephyr

Package Name

Zephyr

Repo

https://github.com/zephyrproject-rtos/zephyr

Default Status

unaffected

Versions

Affected

From * through 4.3 (git)

Problem Types

Type	CWE ID	Description
CWE	CWE-757	Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')

Type: CWE

CWE ID: CWE-757

Description: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')

Metrics

Version	Base score	Base severity	Vector
3.1	5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Version: 3.1

Base score: 5.3

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

Hyperlink	Resource
https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-23r2-m5wx-4rvq	N/A

Hyperlink: https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-23r2-m5wx-4rvq

Resource: N/A

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References