CVE Vulnerabilities

CVE-2026-42770

Missing Cryptographic Step

Published: Jun 09, 2026 | Modified: Jun 17, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
5.9 LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Ubuntu
LOW
root.io logo minimus.io logo echo.ai logo

Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership.

Impact summary: A malicious peer which presents an X9.42 key carrying the victims p and g parameters, a forged q = r (a small prime factor of the cofactor (p−1)/q_local), and a public value Y of order r can recover the victims private key after a small number of key exchange attempts.

When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the subgroup membership check Y^q ≡ 1 (mod p) is performed using the peers own q parameter, not the local keys q. The peers domain parameters are then matched against the domain parameters of the private key, but the value of q is not compared.

A malicious peer who presents an X9.42 key carrying the victims p, g, a forged q = r (a small prime factor of the cofactor), and a public value Y of order r passes all checks. The shared secret then takes only r distinct values, leaking priv mod r. Repeating for each small-prime factor of the cofactor and combining via CRT recovers the full private key (Lim–Lee / small-subgroup-confinement attack).

The realistic attack surface is narrow: principally CMP deployments with long-lived RA/CA DHX keys and bespoke enterprise or government applications using X9.42 DHX static keys with interactive protocols and therefore this issue was assigned Low severity.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this issue.

Weakness

The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.

Affected Software

NameVendorStart VersionEnd Version
OpensslOpenssl3.0.0 (including)3.0.21 (excluding)
OpensslOpenssl3.4.0 (including)3.4.6 (excluding)
OpensslOpenssl3.5.0 (including)3.5.7 (excluding)
OpensslOpenssl3.6.0 (including)3.6.3 (excluding)
OpensslOpenssl4.0.0 (including)4.0.0 (including)
Red Hat Enterprise Linux 10RedHatopenssl-1:3.5.5-4.el10_2*
Red Hat Enterprise Linux 9RedHatopenssl-1:3.5.5-4.el9_8*
Red Hat Enterprise Linux 9RedHatopenssl-1:3.5.5-4.el9_8*
Red Hat Discovery 2RedHatdiscovery/discovery-server-rhel9:1782159791*
Red Hat Discovery 2RedHatdiscovery/discovery-ui-rhel9:1782166952*
Red Hat Update Infrastructure 5RedHatrhui5/cds-rhel9:1781525684*
Red Hat Update Infrastructure 5RedHatrhui5/haproxy-rhel9:1781525671*
Red Hat Update Infrastructure 5RedHatrhui5/installer-rhel9:1781525693*
Red Hat Update Infrastructure 5RedHatrhui5/rhua-rhel9:1781525739*
NodejsUbuntuesm-apps/jammy*
NodejsUbuntujammy*
OpensslUbuntudevel*
OpensslUbuntufips-preview/jammy*
OpensslUbuntufips-updates/jammy*
OpensslUbuntujammy*
OpensslUbuntunoble*
OpensslUbuntuquesting*
OpensslUbunturesolute*

References