Issue
When a TLS 1.2- and TLS 1.3-capable Mbed TLS server is asked to resume a TLS 1.3 session via a ticket and replies with a HelloRetryRequest, if the subsequent ClientHello negotiates TLS 1.2 the server incorrectly proceeds to resume a TLS 1.2 session using an all-zero master secret. A man-in-the-middle attacker who intercepts the HelloRetryRequest and replies with a TLS 1.2 ClientHello can complete the handshake originally initiated with a TLS 1.3 ticket, bypassing client authentication and potentially impersonating a legitimate client. Affects Mbed TLS 3.5.0 through 3.6.5, and 4.0.0.
https://nvd.nist.gov/vuln/detail/CVE-2026-34873
Workaround
Update to mbedTLS v3.6.6, TF-PSA-Crypto 1.1.0, or a newer version of either.
FSP v6.5.0 (scheduled for 2026/05/27) includes mbedTLS v3.6.6.
Issue
When a TLS 1.2- and TLS 1.3-capable Mbed TLS server is asked to resume a TLS 1.3 session via a ticket and replies with a HelloRetryRequest, if the subsequent ClientHello negotiates TLS 1.2 the server incorrectly proceeds to resume a TLS 1.2 session using an all-zero master secret. A man-in-the-middle attacker who intercepts the HelloRetryRequest and replies with a TLS 1.2 ClientHello can complete the handshake originally initiated with a TLS 1.3 ticket, bypassing client authentication and potentially impersonating a legitimate client. Affects Mbed TLS 3.5.0 through 3.6.5, and 4.0.0.
https://nvd.nist.gov/vuln/detail/CVE-2026-34873
Workaround
Update to mbedTLS v3.6.6, TF-PSA-Crypto 1.1.0, or a newer version of either.
FSP v6.5.0 (scheduled for 2026/05/27) includes mbedTLS v3.6.6.