FFDH: Lack of Contributory Behaviour Vulnerability (CVE-2026-34872) Vulnerability Overview When performing key agreement using the built-in driver, the peer's public key is not properly validated as required by RFC 7919 and NIST SP800-56A. As a result, the peer can force the resulting shared secret to be limited to a small set of values, known as lack of contributory behaviour. Severity: MEDIUM Discovery Date: March 31, 2024 Discoverers: Eva Crystal (0xveil) and another reporter --- Affected Scope Protocol-Level Impact: TLS 1.3: Not affected (master secret depends on the entire handshake transcript, including random bytes provided by both parties) TLS 1.2: Not affected (different reason: checks are only realistic for groups known to use safe primes, but TLS 1.2 allows any group provided by the server, making effective client-side checking impossible) --- Remediation Upgrade to: TF-PSA-Crypto 1.1.0 or later Mbed TLS 3.6.6 or later --- Work-around For protocols requiring contributory behaviour, verify that the parameter falls within the valid range. When using 2048-bit primes, the bounds are: Lower bound (hex): Upper bound (hex): The parameter should satisfy: (lower bound) AND (upper bound). Users need to look up primes of the size used according to RFC 7919. Exception: The legacy API in Mbed TLS 3.6 is not affected. --- Fix Commits