PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-1677 zephyrproject-rtos CVE debrief

CVE-2026-1677 is a medium-severity vulnerability in Zephyr's TLS 1.3 socket implementation. The vulnerability occurs because Zephyr sockets created with `IPPROTO_TLS_1_3` can still negotiate a TLS 1.2 connection when both TLS versions are enabled in Kconfig. This happens because the socket-level protocol selection is not propagated to mbedTLS. As a result, applications that assume `IPPROTO_TLS_1_3` enforces TLS 1.3 may silently use TLS 1.2 and remain exposed to TLS 1.2-specific weaknesses.

Vendor
zephyrproject-rtos
Product
Zephyr
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-11
Original CVE updated
2026-07-08
Advisory published
2026-05-11
Advisory updated
2026-07-08

Who should care

Organizations using Zephyr for TLS 1.3 connections should be aware of this vulnerability. Specifically, those who have enabled both TLS 1.2 and TLS 1.3 in their Kconfig settings and rely on `IPPROTO_TLS_1_3` for secure connections may be affected.

Technical summary

The vulnerability arises from the lack of propagation of socket-level protocol selection to mbedTLS. When creating a socket with `IPPROTO_TLS_1_3`, the ClientHello message advertises both TLS 1.2 and TLS 1.3. If the peer supports both versions, it may establish a TLS 1.2 connection, bypassing the intended security of TLS 1.3. This can lead to exposure to TLS 1.2-specific vulnerabilities. A workaround is available using the `TLS_CIPHERSUITE_LIST` socket option to restrict cipher suites to TLS 1.3-only.

Defensive priority

Medium priority should be given to addressing this vulnerability, especially for applications relying on TLS 1.3 for security.

Recommended defensive actions

  • Review and update Kconfig settings to ensure proper TLS version enforcement.
  • Implement the workaround using `TLS_CIPHERSUITE_LIST` socket option to restrict to TLS 1.3 cipher suites.
  • Monitor for and apply patches or updates from Zephyr as they become available.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

The CVE record and NVD details provide information on the vulnerability. The vendor advisory on GitHub offers additional context and mitigation strategies. Evidence is limited to public sources and may not cover all affected systems or specific configurations. Defenders should verify system configurations, review Kconfig settings, and assess exposure based on TLS version usage.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-05-11T06:16:08.683Z and has not been modified since then. The NVD entry is currently Analyzed.