FFC-DH Peer Validation Uses Attacker-Supplied q
Summary
| CVE | CVE-2026-42770 |
|---|---|
| State | PUBLISHED |
| Assigner | openssl |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-09 17:17:08 UTC |
| Updated | 2026-06-09 21:17:17 UTC |
| Description | Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership. Impact summary: A malicious peer which presents an X9.42 key carrying the victim's p and g parameters, a forged q = r (a small prime factor of the cofactor (p−1)/q_local), and a public value Y of order r can recover the victim's private key after a small number of key exchange attempts. When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the subgroup membership check Y^q ≡ 1 (mod p) is performed using the peer's own q parameter, not the local key's q. The peer's domain parameters are then matched against the domain parameters of the private key, but the value of q is not compared. A malicious peer who presents an X9.42 key carrying the victim's p, g, a forged q = r (a small prime factor of the cofactor), and a public value Y of order r passes all checks. The shared secret then takes only r distinct values, leaking priv mod r. Repeating for each small-prime factor of the cofactor and combining via CRT recovers the full private key (Lim–Lee / small-subgroup-confinement attack). The realistic attack surface is narrow: principally CMP deployments with long-lived RA/CA DHX keys and bespoke enterprise or government applications using X9.42 DHX static keys with interactive protocols and therefore this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this issue. |
Risk And Classification
Primary CVSS: v3.1 3.7 LOW from ADP
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Problem Types: CWE-325 | CWE-325 CWE-325 Missing Cryptographic Step
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | DECLARED | 3.7 | LOW | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 3.7 | LOW | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
HighPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
LowIntegrity
NoneAvailability
NoneCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | OpenSSL | OpenSSL | affected 4.0.0 4.0.1 semver | Not specified |
| CNA | OpenSSL | OpenSSL | affected 3.6.0 3.6.3 semver | Not specified |
| CNA | OpenSSL | OpenSSL | affected 3.5.0 3.5.7 semver | Not specified |
| CNA | OpenSSL | OpenSSL | affected 3.4.0 3.4.6 semver | Not specified |
| CNA | OpenSSL | OpenSSL | affected 3.0.0 3.0.21 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/openssl/security/commit/ca2237ab5615641b662183b077f62c08d75e8070 | [email protected] | github.com | |
| github.com/openssl/security/commit/3da5a516cd2635a320ff748503db2cef7c4b0f02 | [email protected] | github.com | |
| github.com/openssl/security/commit/5f452bba2c681423d8fcffd120a19b757ee42e3c | [email protected] | github.com | |
| github.com/openssl/security/commit/3ddbb7ab50bd93dfc59cbe08e269a67605aeebdb | [email protected] | github.com | |
| github.com/openssl/security/commit/7fbfde7677ed8808828bf00ff01c937ca04bdda2 | [email protected] | github.com | |
| openssl-library.org/news/secadv/20260609.txt | [email protected] | openssl-library.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Alex Gaynor (Anthropic) (en)
CNA: Alex Gaynor (Anthropic) (en)
CNA: Viktor Dukhovni (en)
CNA: Norbert Pócs (en)
There are currently no legacy QID mappings associated with this CVE.