CVE-2026-42770 (GCVE-0-2026-42770)
Vulnerability from cvelistv5
Published
2026-06-09 16:03
Modified
2026-06-10 07:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-325 - Missing Cryptographic Step
Summary
Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42)
peer key, the peer key is not properly checked for the subgroup membership.
Impact summary: A malicious peer which presents an X9.42 key carrying the
victim's p and g parameters, a forged q = r (a small prime factor of the
cofactor (p−1)/q_local), and a public value Y of order r can recover the
victim's private key after a small number of key exchange attempts.
When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the
subgroup membership check Y^q ≡ 1 (mod p) is performed using the peer's
own q parameter, not the local key's q. The peer's domain parameters are
then matched against the domain parameters of the private key, but the value
of q is not compared.
A malicious peer who presents an X9.42 key carrying the victim's p, g,
a forged q = r (a small prime factor of the cofactor), and a public
value Y of order r passes all checks. The shared secret then takes only
r distinct values, leaking priv mod r. Repeating for each small-prime
factor of the cofactor and combining via CRT recovers the full private
key (Lim–Lee / small-subgroup-confinement attack).
The realistic attack surface is narrow: principally CMP deployments with
long-lived RA/CA DHX keys and bespoke enterprise or government applications
using X9.42 DHX static keys with interactive protocols and therefore this
issue was assigned Low severity.
The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this
issue.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-42770",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T19:34:57.693097Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T19:35:28.505Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OpenSSL",
"vendor": "OpenSSL",
"versions": [
{
"lessThan": "4.0.1",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThan": "3.6.3",
"status": "affected",
"version": "3.6.0",
"versionType": "semver"
},
{
"lessThan": "3.5.7",
"status": "affected",
"version": "3.5.0",
"versionType": "semver"
},
{
"lessThan": "3.4.6",
"status": "affected",
"version": "3.4.0",
"versionType": "semver"
},
{
"lessThan": "3.0.21",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Alex Gaynor (Anthropic)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Alex Gaynor (Anthropic)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Viktor Dukhovni"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Norbert P\u00f3cs"
}
],
"datePublic": "2026-06-09T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42)\u003cbr\u003epeer key, the peer key is not properly checked for the subgroup membership.\u003cbr\u003e\u003cbr\u003eImpact summary: A malicious peer which presents an X9.42 key carrying the\u003cbr\u003evictim\u0027s p and g parameters, a forged q = r (a small prime factor of the\u003cbr\u003ecofactor (p\u22121)/q_local), and a public value Y of order r can recover the\u003cbr\u003evictim\u0027s private key after a small number of key exchange attempts.\u003cbr\u003e\u003cbr\u003eWhen EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the\u003cbr\u003esubgroup membership check Y^q \u2261 1 (mod p) is performed using the peer\u0027s\u003cbr\u003eown q parameter, not the local key\u0027s q. The peer\u0027s domain parameters are\u003cbr\u003ethen matched against the domain parameters of the private key, but the value\u003cbr\u003eof q is not compared.\u003cbr\u003e\u003cbr\u003eA malicious peer who presents an X9.42 key carrying the victim\u0027s p, g,\u003cbr\u003ea forged q = r (a small prime factor of the cofactor), and a public\u003cbr\u003evalue Y of order r passes all checks. The shared secret then takes only\u003cbr\u003er distinct values, leaking priv mod r. Repeating for each small-prime\u003cbr\u003efactor of the cofactor and combining via CRT recovers the full private\u003cbr\u003ekey (Lim\u2013Lee / small-subgroup-confinement attack).\u003cbr\u003e\u003cbr\u003eThe realistic attack surface is narrow: principally CMP deployments with\u003cbr\u003elong-lived RA/CA DHX keys and bespoke enterprise or government applications\u003cbr\u003eusing X9.42 DHX static keys with interactive protocols and therefore this\u003cbr\u003eissue was assigned Low severity.\u003cbr\u003e\u003cbr\u003eThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this\u003cbr\u003eissue."
}
],
"value": "Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42)\npeer key, the peer key is not properly checked for the subgroup membership.\n\nImpact summary: A malicious peer which presents an X9.42 key carrying the\nvictim\u0027s p and g parameters, a forged q = r (a small prime factor of the\ncofactor (p\u22121)/q_local), and a public value Y of order r can recover the\nvictim\u0027s private key after a small number of key exchange attempts.\n\nWhen EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the\nsubgroup membership check Y^q \u2261 1 (mod p) is performed using the peer\u0027s\nown q parameter, not the local key\u0027s q. The peer\u0027s domain parameters are\nthen matched against the domain parameters of the private key, but the value\nof q is not compared.\n\nA malicious peer who presents an X9.42 key carrying the victim\u0027s p, g,\na forged q = r (a small prime factor of the cofactor), and a public\nvalue Y of order r passes all checks. The shared secret then takes only\nr distinct values, leaking priv mod r. Repeating for each small-prime\nfactor of the cofactor and combining via CRT recovers the full private\nkey (Lim\u2013Lee / small-subgroup-confinement attack).\n\nThe realistic attack surface is narrow: principally CMP deployments with\nlong-lived RA/CA DHX keys and bespoke enterprise or government applications\nusing X9.42 DHX static keys with interactive protocols and therefore this\nissue was assigned Low severity.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this\nissue."
}
],
"metrics": [
{
"format": "other",
"other": {
"content": {
"text": "Low"
},
"type": "https://openssl-library.org/policies/general/security-policy/"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-325",
"description": "CWE-325 Missing Cryptographic Step",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T07:48:07.613Z",
"orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
"shortName": "openssl"
},
"references": [
{
"name": "OpenSSL Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://openssl-library.org/news/secadv/20260609.txt"
},
{
"name": "4.0.1 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/3da5a516cd2635a320ff748503db2cef7c4b0f02"
},
{
"name": "3.6.3 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/3ddbb7ab50bd93dfc59cbe08e269a67605aeebdb"
},
{
"name": "3.5.7 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/ca2237ab5615641b662183b077f62c08d75e8070"
},
{
"name": "3.4.6 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/5f452bba2c681423d8fcffd120a19b757ee42e3c"
},
{
"name": "3.0.21 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/7fbfde7677ed8808828bf00ff01c937ca04bdda2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "FFC-DH Peer Validation Uses Attacker-Supplied q",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
"assignerShortName": "openssl",
"cveId": "CVE-2026-42770",
"datePublished": "2026-06-09T16:03:29.802Z",
"dateReserved": "2026-04-29T09:22:27.969Z",
"dateUpdated": "2026-06-10T07:48:07.613Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…