CVE-2026-42770
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: OpenSSL Software Foundation

Description
Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership. Impact summary: A malicious peer which presents an X9.42 key carrying the victim's p and g parameters, a forged q = r (a small prime factor of the cofactor (pβˆ’1)/q_local), and a public value Y of order r can recover the victim's private key after a small number of key exchange attempts. When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the subgroup membership check Y^q ≑ 1 (mod p) is performed using the peer's own q parameter, not the local key's q. The peer's domain parameters are then matched against the domain parameters of the private key, but the value of q is not compared. A malicious peer who presents an X9.42 key carrying the victim's p, g, a forged q = r (a small prime factor of the cofactor), and a public value Y of order r passes all checks. The shared secret then takes only r distinct values, leaking priv mod r. Repeating for each small-prime factor of the cofactor and combining via CRT recovers the full private key (Lim–Lee / small-subgroup-confinement attack). The realistic attack surface is narrow: principally CMP deployments with long-lived RA/CA DHX keys and bespoke enterprise or government applications using X9.42 DHX static keys with interactive protocols and therefore this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-10
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-42770
EUVD
EUVD-2026-35487
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
openssl openssl 4.0
openssl openssl 3.6
openssl openssl 3.5
openssl openssl 3.4
openssl openssl 3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-325 The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs when the function EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key. The peer key is not properly checked for subgroup membership, specifically the value q is not correctly verified against the local key's parameters.

A malicious peer can present a specially crafted X9.42 key that uses the victim's p and g parameters, a forged small prime q, and a public value Y of order r. This allows the attacker to recover the victim's private key after a small number of key exchange attempts by exploiting the small-subgroup-confinement attack.

The issue arises because the subgroup membership check uses the peer's q parameter instead of the local key's q, allowing the attacker to bypass proper validation and leak private key information.

The attack surface is narrow, mainly affecting CMP deployments with long-lived RA/CA DHX keys and custom enterprise or government applications using X9.42 DHX static keys with interactive protocols.

Impact Analysis

This vulnerability can lead to the recovery of your private key by a malicious peer after a small number of key exchange attempts.

If exploited, an attacker can compromise the confidentiality and integrity of communications that rely on the affected DHX keys, potentially allowing unauthorized access or data decryption.

However, the realistic attack surface is narrow, so typical users may not be affected unless they use specific long-lived DHX keys in certain enterprise or government applications.

Compliance Impact

This vulnerability involves a cryptographic weakness in EVP_PKEY_derive_set_peer() when used with DHX (X9.42) keys, potentially allowing a malicious peer to recover a victim's private key under specific conditions.

While the issue could lead to leakage of private keys, the realistic attack surface is narrow and primarily affects certain CMP deployments and bespoke enterprise or government applications using static X9.42 DHX keys.

The CVE description does not explicitly mention any direct impact on compliance with common standards or regulations such as GDPR or HIPAA.

However, since private key compromise can undermine data confidentiality and integrity, organizations relying on affected cryptographic modules might face increased risk of non-compliance if this vulnerability is exploited and leads to unauthorized data access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42770. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart