Crypt::DSA versions before 1.22 for Perl draw the DSA signing nonce and private key from a biased random generator, leading to private-key recovery
Summary
| CVE | CVE-2026-14570 |
|---|---|
| State | PUBLISHED |
| Assigner | CPANSec |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-05 02:17:40 UTC |
| Updated | 2026-07-05 06:16:25 UTC |
| Description | Crypt::DSA versions before 1.22 for Perl draw the DSA signing nonce and private key from a biased random generator, leading to private-key recovery. "Crypt::DSA::Util::makerandom forces the high bit of every value it returns to obtain an exactly N-bit integer for prime search. The signing nonce and the private key are drawn from makerandom. Because the high bit is always set, the result is not uniform: its top bit is fixed, producing insecure values." An attacker who collects a modest number of signatures under an affected key, together with the public key, can recover the private key with a lattice attack. Keys used to sign with an affected version should be considered compromised and new keys should be generated. |
Risk And Classification
Problem Types: CWE-330 | CWE-330 CWE-330 Use of Insufficiently Random Values
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.openwall.com/lists/oss-security/2026/07/05/1 | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | |
| metacpan.org/release/TIMLEGGE/Crypt-DSA-1.22/changes | 9b29abf9-4ab0-4765-b253-1875cd9b441e | metacpan.org | |
| metacpan.org/release/TIMLEGGE/Crypt-DSA-1.21/source/lib/Crypt/DSA/Util.pm | 9b29abf9-4ab0-4765-b253-1875cd9b441e | metacpan.org | |
| metacpan.org/release/TIMLEGGE/Crypt-DSA-1.22/diff/TIMLEGGE/Crypt-DSA-1.21 | 9b29abf9-4ab0-4765-b253-1875cd9b441e | metacpan.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Additional Advisory Data
Solutions
CNA: Upgrade to version 1.22 or later, which draws the nonce and private key uniformly via rejection sampling (Crypt::DSA::Util::randombelow) with no forced high bit. Revoke and regenerate any keys used to sign with an affected version. Crypt::DSA was deprecated in version 1.20. You should migrate to another solution.
There are currently no legacy QID mappings associated with this CVE.