GHSA-3CXM-476W-GHM2
Vulnerability from github – Published: 2026-06-09 18:30 – Updated: 2026-06-10 09:31Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership.
Impact summary: A malicious peer which presents an X9.42 key carrying the victim's p and g parameters, a forged q = r (a small prime factor of the cofactor (p−1)/q_local), and a public value Y of order r can recover the victim's private key after a small number of key exchange attempts.
When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the subgroup membership check Y^q ≡ 1 (mod p) is performed using the peer's own q parameter, not the local key's q. The peer's domain parameters are then matched against the domain parameters of the private key, but the value of q is not compared.
A malicious peer who presents an X9.42 key carrying the victim's p, g, a forged q = r (a small prime factor of the cofactor), and a public value Y of order r passes all checks. The shared secret then takes only r distinct values, leaking priv mod r. Repeating for each small-prime factor of the cofactor and combining via CRT recovers the full private key (Lim–Lee / small-subgroup-confinement attack).
The realistic attack surface is narrow: principally CMP deployments with long-lived RA/CA DHX keys and bespoke enterprise or government applications using X9.42 DHX static keys with interactive protocols and therefore this issue was assigned Low severity.
The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this issue.
{
"affected": [],
"aliases": [
"CVE-2026-42770"
],
"database_specific": {
"cwe_ids": [
"CWE-325"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-09T17:17:08Z",
"severity": "LOW"
},
"details": "Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42)\npeer key, the peer key is not properly checked for the subgroup membership.\n\nImpact summary: A malicious peer which presents an X9.42 key carrying the\nvictim\u0027s p and g parameters, a forged q = r (a small prime factor of the\ncofactor (p\u22121)/q_local), and a public value Y of order r can recover the\nvictim\u0027s private key after a small number of key exchange attempts.\n\nWhen EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the\nsubgroup membership check Y^q \u2261 1 (mod p) is performed using the peer\u0027s\nown q parameter, not the local key\u0027s q. The peer\u0027s domain parameters are\nthen matched against the domain parameters of the private key, but the value\nof q is not compared.\n\nA malicious peer who presents an X9.42 key carrying the victim\u0027s p, g,\na forged q = r (a small prime factor of the cofactor), and a public\nvalue Y of order r passes all checks. The shared secret then takes only\nr distinct values, leaking priv mod r. Repeating for each small-prime\nfactor of the cofactor and combining via CRT recovers the full private\nkey (Lim\u2013Lee / small-subgroup-confinement attack).\n\nThe realistic attack surface is narrow: principally CMP deployments with\nlong-lived RA/CA DHX keys and bespoke enterprise or government applications\nusing X9.42 DHX static keys with interactive protocols and therefore this\nissue was assigned Low severity.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this\nissue.",
"id": "GHSA-3cxm-476w-ghm2",
"modified": "2026-06-10T09:31:57Z",
"published": "2026-06-09T18:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42770"
},
{
"type": "WEB",
"url": "https://github.com/openssl/openssl/commit/3da5a516cd2635a320ff748503db2cef7c4b0f02"
},
{
"type": "WEB",
"url": "https://github.com/openssl/openssl/commit/3ddbb7ab50bd93dfc59cbe08e269a67605aeebdb"
},
{
"type": "WEB",
"url": "https://github.com/openssl/openssl/commit/5f452bba2c681423d8fcffd120a19b757ee42e3c"
},
{
"type": "WEB",
"url": "https://github.com/openssl/openssl/commit/7fbfde7677ed8808828bf00ff01c937ca04bdda2"
},
{
"type": "WEB",
"url": "https://github.com/openssl/openssl/commit/ca2237ab5615641b662183b077f62c08d75e8070"
},
{
"type": "WEB",
"url": "https://github.com/openssl/security/commit/3da5a516cd2635a320ff748503db2cef7c4b0f02"
},
{
"type": "WEB",
"url": "https://github.com/openssl/security/commit/3ddbb7ab50bd93dfc59cbe08e269a67605aeebdb"
},
{
"type": "WEB",
"url": "https://github.com/openssl/security/commit/5f452bba2c681423d8fcffd120a19b757ee42e3c"
},
{
"type": "WEB",
"url": "https://github.com/openssl/security/commit/7fbfde7677ed8808828bf00ff01c937ca04bdda2"
},
{
"type": "WEB",
"url": "https://github.com/openssl/security/commit/ca2237ab5615641b662183b077f62c08d75e8070"
},
{
"type": "WEB",
"url": "https://openssl-library.org/news/secadv/20260609.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.