CVE-2024-45159
Description
Mbed TLS 3.2.0 to 3.6.0 fails to check keyUsage/extKeyUsage in TLS 1.3 optional client authentication, allowing a certificate valid for other purposes to be used for client auth.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mbed TLS 3.2.0 to 3.6.0 fails to check keyUsage/extKeyUsage in TLS 1.3 optional client authentication, allowing a certificate valid for other purposes to be used for client auth.
Vulnerability
In Mbed TLS versions 3.2.0 through 3.6.0, the TLS 1.3 optional client authentication path incorrectly clears the MBEDTLS_X509_BADCERT_KEY_USAGE and MBEDTLS_X509_BADCERT_EXT_KEY_USAGE bits in the return value of mbedtls_ssl_get_verify_result(). This occurs when a client presents a certificate whose keyUsage or extKeyUsage extensions do not permit TLS client authentication. As a result, the certificate is wrongly reported as fully valid. Only TLS 1.3 servers using optional authentication (MBEDTLS_SSL_VERIFY_OPTIONAL) are affected; mandatory authentication (MBEDTLS_SSL_VERIFY_REQUIRED) and TLS 1.2 are not impacted [1][2].
Exploitation
An attacker must present a certificate that is otherwise valid (signed by a trusted CA) but whose keyUsage or extKeyUsage extensions lack the appropriate bits for TLS client authentication. The attacker initiates a TLS 1.3 handshake with a server configured for optional client authentication. The server accepts the connection and, upon calling mbedtls_ssl_get_verify_result(), receives a result code of 0 (no errors) even though the certificate's key usage is invalid. No user interaction beyond establishing the TLS session is required [2].
Impact
Successful exploitation allows an attacker to impersonate a legitimate TLS client using a certificate that was valid for a different purpose (e.g., code signing, email encryption, or server authentication). This breaks the intended authentication guarantee, potentially enabling unauthorized access to resources or actions that require client identity verification. The attacker gains no additional privileges beyond those associated with the misused certificate, but the trust model of mutual authentication is subverted [1][2].
Mitigation
Update to Mbed TLS 3.6.1 or later (or 4.1.0, which includes the fix). The fixed version was released on 30 August 2024. Users of Mbed TLS 3.x should upgrade to at least 3.6.1; users of the 4.x LTS branch should use 4.1.0 or later. No workaround is available. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [1][2].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Mbed TLS/Mbed TLSdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The mbedtls_ssl_get_verify_result() function incorrectly clears key usage bits for client certificates in TLS 1.3."
Attack vector
An attacker can exploit this vulnerability by presenting a client certificate that is valid for purposes other than TLS client authentication. The server, if configured to optionally authenticate clients and using TLS 1.3, will incorrectly accept this certificate. This allows the attacker to impersonate a legitimate client and establish a TLS 1.3 session. The vulnerability is only present when client authentication is optional, as required authentication would cause the handshake to fail [ref_id=1].
Affected code
The vulnerability lies within the TLS 1.3 implementation of Mbed TLS, specifically affecting the mbedtls_ssl_get_verify_result() function. This function is responsible for checking the validity of client certificates during the TLS handshake when optional client authentication is enabled.
What the fix does
The advisory notes that the function mbedtls_ssl_get_verify_result() was hardened against misuse. Specifically, it now returns -1u if the handshake has not yet been attempted, preventing the previous behavior where a zero-initialized result incorrectly indicated success. This change ensures that the verification result accurately reflects the certificate's validity for TLS client authentication [ref_id=1].
Preconditions
- configThe server must be configured to use TLS 1.3.
- configThe server must have optional client authentication enabled.
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-08-3/nvdVendor Advisory
- github.com/Mbed-TLS/mbedtls/releases/nvdRelease Notes
- mbed-tls.readthedocs.io/en/latest/security-advisories/nvdIssue Tracking
News mentions
0No linked articles in our index yet.