CVE-2026-1677: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') in zephyrproject-rtos Zephyr
Zephyr sockets configured with the IPPROTO_TLS_1_3 option may still negotiate TLS 1.2 connections if both TLS 1.2 and TLS 1.3 are enabled, due to the socket-level protocol selection not being properly propagated to the underlying mbedTLS library. This results in the ClientHello message advertising both TLS versions, allowing a peer to establish a TLS 1.2 connection despite the application's expectation of TLS 1.3. Consequently, applications may unknowingly use the less secure TLS 1.2 protocol and remain vulnerable to weaknesses specific to TLS 1.2.
AI Analysis
Technical Summary
The vulnerability in Zephyr RTOS arises because sockets created with IPPROTO_TLS_1_3 do not enforce TLS 1.3 exclusively. The socket-level protocol selection is not communicated to mbedTLS, which leads to the ClientHello message advertising both TLS 1.2 and TLS 1.3. This allows the peer to negotiate a TLS 1.2 connection, undermining the intended security guarantees of TLS 1.3. The issue occurs when both TLS 1.2 and TLS 1.3 are enabled in the Kconfig configuration. The lack of enforcement means applications assuming TLS 1.3 is used may be exposed to vulnerabilities inherent to TLS 1.2. The recommended workaround is to limit the TLS_CIPHERSUITE_LIST socket option to TLS 1.3-only cipher suites to prevent fallback to TLS 1.2.
Potential Impact
Applications using Zephyr sockets with IPPROTO_TLS_1_3 may unintentionally negotiate TLS 1.2 connections, exposing them to known weaknesses of TLS 1.2. This reduces the confidentiality guarantees expected from TLS 1.3 and may allow attackers to exploit vulnerabilities specific to TLS 1.2. There is no indication of integrity or availability impact. No known exploits in the wild have been reported.
Mitigation Recommendations
No official patch or fix has been published yet. As a workaround, restrict the TLS_CIPHERSUITE_LIST socket option to only TLS 1.3 cipher suites to prevent negotiation of TLS 1.2 connections. Monitor the vendor advisory for updates regarding an official fix or patch. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
CVE-2026-1677: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') in zephyrproject-rtos Zephyr
Description
Zephyr sockets configured with the IPPROTO_TLS_1_3 option may still negotiate TLS 1.2 connections if both TLS 1.2 and TLS 1.3 are enabled, due to the socket-level protocol selection not being properly propagated to the underlying mbedTLS library. This results in the ClientHello message advertising both TLS versions, allowing a peer to establish a TLS 1.2 connection despite the application's expectation of TLS 1.3. Consequently, applications may unknowingly use the less secure TLS 1.2 protocol and remain vulnerable to weaknesses specific to TLS 1.2.
CVSS v3.1
Score 5.3medium
Affected software
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Zephyr RTOS arises because sockets created with IPPROTO_TLS_1_3 do not enforce TLS 1.3 exclusively. The socket-level protocol selection is not communicated to mbedTLS, which leads to the ClientHello message advertising both TLS 1.2 and TLS 1.3. This allows the peer to negotiate a TLS 1.2 connection, undermining the intended security guarantees of TLS 1.3. The issue occurs when both TLS 1.2 and TLS 1.3 are enabled in the Kconfig configuration. The lack of enforcement means applications assuming TLS 1.3 is used may be exposed to vulnerabilities inherent to TLS 1.2. The recommended workaround is to limit the TLS_CIPHERSUITE_LIST socket option to TLS 1.3-only cipher suites to prevent fallback to TLS 1.2.
Potential Impact
Applications using Zephyr sockets with IPPROTO_TLS_1_3 may unintentionally negotiate TLS 1.2 connections, exposing them to known weaknesses of TLS 1.2. This reduces the confidentiality guarantees expected from TLS 1.3 and may allow attackers to exploit vulnerabilities specific to TLS 1.2. There is no indication of integrity or availability impact. No known exploits in the wild have been reported.
Mitigation Recommendations
No official patch or fix has been published yet. As a workaround, restrict the TLS_CIPHERSUITE_LIST socket option to only TLS 1.3 cipher suites to prevent negotiation of TLS 1.2 connections. Monitor the vendor advisory for updates regarding an official fix or patch. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- zephyr
- Date Reserved
- 2026-01-30T05:38:22.811Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a01758dcbff5d86109c7ece
Added to database: 5/11/2026, 6:22:05 AM
Last enriched: 5/18/2026, 10:44:44 AM
Last updated: 6/17/2026, 8:49:56 PM
Views: 76
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.