What is CVE-2026-1677?

CVE-2026-1677 is a medium-severity vulnerability in Zephyrproject-rtos Zephyr, classified under CWE-757. CVSS score: 5.3/10. Published 2026-05-11.

How severe is CVE-2026-1677?

Medium severity. CVSS v3 base score is 5.3 out of 10.

Vulnerability in Zephyrproject-rtos Zephyr

CVE-2026-1677

Zephyr sockets created with `IPPROTO_TLS_1_3` can still negotiate a TLS 1.2 connection when both TLS versions are enabled in Kconfig, because the socket-level protocol selection is not propagated to mbedTLS (e.g. via `mbedtls_ssl_conf_min_…

EPSS: 0.000 (14.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.

Affected products

Zephyrproject-rtos Zephyr

Weakness classification (CWE)

CWE-757

References

vulnerabilities@zephyrproject.org

Frequently asked questions

What is CVE-2026-1677?: CVE-2026-1677 is a medium-severity vulnerability in Zephyrproject-rtos Zephyr, classified under CWE-757. CVSS score: 5.3/10. Published 2026-05-11.
How severe is CVE-2026-1677?: Medium severity. CVSS v3 base score is 5.3 out of 10.