CVE-2026-42770

June 10, 2026, 8:16 a.m.

3.7
Low

Description

Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership. Impact summary: A malicious peer which presents an X9.42 key carrying the victim's p and g parameters, a forged q = r (a small prime factor of the cofactor (p−1)/q_local), and a public value Y of order r can recover the victim's private key after a small number of key exchange attempts. When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the subgroup membership check Y^q ≡ 1 (mod p) is performed using the peer's own q parameter, not the local key's q. The peer's domain parameters are then matched against the domain parameters of the private key, but the value of q is not compared. A malicious peer who presents an X9.42 key carrying the victim's p, g, a forged q = r (a small prime factor of the cofactor), and a public value Y of order r passes all checks. The shared secret then takes only r distinct values, leaking priv mod r. Repeating for each small-prime factor of the cofactor and combining via CRT recovers the full private key (Lim–Lee / small-subgroup-confinement attack). The realistic attack surface is narrow: principally CMP deployments with long-lived RA/CA DHX keys and bespoke enterprise or government applications using X9.42 DHX static keys with interactive protocols and therefore this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this issue.

Product(s) Impacted

Vendor Product Versions
Openssl
  • Openssl
  • 4.0, 3.6, 3.5, 3.4, 3.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-325
Missing Cryptographic Step
The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a openssl openssl 4.0 / / / / / / /
a openssl openssl 3.6 / / / / / / /
a openssl openssl 3.5 / / / / / / /
a openssl openssl 3.4 / / / / / / /
a openssl openssl 3.0 / / / / / / /

References

https://github.com/openssl/openssl/commit/3da5a516cd2635a320ff748503db2cef7c4b0f02
https://github.com/openssl/openssl/commit/3ddbb7ab50bd93dfc59cbe08e269a67605aeebdb
https://github.com/openssl/openssl/commit/5f452bba2c681423d8fcffd120a19b757ee42e3c
https://github.com/openssl/openssl/commit/7fbfde7677ed8808828bf00ff01c937ca04bdda2
https://github.com/openssl/openssl/commit/ca2237ab5615641b662183b077f62c08d75e8070
https://openssl-library.org/news/secadv/20260609.txt

Tags

[email protected]
CWE-325
2026-06-09
CVE-2026-42770

CVSS Score

3.7 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: NONE
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

    View Vector String

Timeline

Published: June 9, 2026, 5:17 p.m.
Last Modified: June 10, 2026, 8:16 a.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.