CVE-2026-14570
Received Received - Intake

DSA Private Key Recovery in Crypt::DSA for Perl

Vulnerability report for CVE-2026-14570, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-05

Last updated on: 2026-07-05

Assigner: CPANSec

Description

Crypt::DSA versions before 1.22 for Perl draw the DSA signing nonce and private key from a biased random generator, leading to private-key recovery. "Crypt::DSA::Util::makerandom forces the high bit of every value it returns to obtain an exactly N-bit integer for prime search. The signing nonce and the private key are drawn from makerandom. Because the high bit is always set, the result is not uniform: its top bit is fixed, producing insecure values." An attacker who collects a modest number of signatures under an affected key, together with the public key, can recover the private key with a lattice attack. Keys used to sign with an affected version should be considered compromised and new keys should be generated.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-05
Last Modified
2026-07-05
Generated
2026-07-05
AI Q&A
2026-07-05
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
timlegge crypt_dsa to 1.22 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-330 The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

Crypt::DSA versions before 1.22 for Perl have a vulnerability where the DSA signing nonce and private key are generated using a biased random number generator.

Specifically, the function Crypt::DSA::Util::makerandom forces the high bit of every value it returns to be set, resulting in an exactly N-bit integer for prime search. Because the high bit is always set, the generated values are not uniformly random, making the signing nonce and private key insecure.

An attacker who collects a modest number of signatures created with an affected key, along with the public key, can use a lattice attack to recover the private key.

Therefore, keys used to sign with an affected version should be considered compromised and replaced with new keys.

Impact Analysis

This vulnerability can lead to the recovery of your private key by an attacker if they obtain a modest number of signatures generated with the affected Crypt::DSA version.

Once the private key is recovered, the attacker can impersonate you by creating valid signatures, potentially allowing unauthorized access, data tampering, or fraudulent transactions.

Because the private key is compromised, any security guarantees provided by the digital signatures are invalidated.

To mitigate this impact, you should consider all keys used with the affected versions compromised and generate new keys using a secure version.

Detection Guidance

This vulnerability involves the use of Crypt::DSA versions before 1.22 for Perl, where the signing nonce and private key are generated from a biased random number generator. Detection involves identifying if your system or network is using an affected version of the Crypt::DSA Perl module.

To detect the vulnerability, you can check the installed version of the Crypt::DSA Perl module on your system. For example, you can run the following command in a terminal to find the version:

  • perl -MCrypt::DSA -e 'print $Crypt::DSA::VERSION, "\n"'

If the version is before 1.22 (e.g., 1.21 or earlier), the system is vulnerable.

Additionally, you can inspect the source code or installed files to verify if the makerandom function is used as described, but this requires deeper code analysis.

Mitigation Strategies

Immediate mitigation steps include considering all keys used to sign with an affected version of Crypt::DSA as compromised.

You should generate new keys using a fixed version of Crypt::DSA (version 1.22 or later) that does not use the biased random number generator.

Replace all affected keys in your systems and revoke the compromised keys to prevent unauthorized use.

Compliance Impact

This vulnerability allows an attacker to recover private keys used in digital signatures due to biased random number generation in Crypt::DSA versions before 1.22. As a result, keys used with affected versions should be considered compromised.

Compromise of private keys used for signing can lead to unauthorized data access or data integrity violations, which may impact compliance with standards and regulations such as GDPR and HIPAA that require protection of sensitive data and secure cryptographic practices.

Therefore, organizations using affected versions risk non-compliance if compromised keys are not replaced promptly, as the vulnerability undermines the security guarantees expected by these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14570. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart