CVE-2026-1677

Name of the Vulnerable Software and Affected Versions Zephyr (affected versions not specified)

Description Sockets created with IPPROTO TLS 1 3 may negotiate a TLS 1.2 connection if both TLS versions are enabled in Kconfig. This occurs because the socket-level protocol selection is not propagated to mbedTLS, such as through the mbedtls ssl conf min tls version function. Consequently, the ClientHello advertises both versions, allowing a peer to establish a TLS 1.2 connection. Applications expecting IPPROTO TLS 1 3 to enforce TLS 1.3 may silently use TLS 1.2, leaving them exposed to weaknesses specific to TLS 1.2.

Recommendations Restrict the TLS CIPHERSUITE LIST socket option to TLS 1.3-only cipher suites as a temporary workaround. At the moment, there is no information about a newer version that contains a fix for this vulnerability.