Cyber Resilience

CVE-2026-42770

LowUpdated

Published: 09 June 2026

Published
09 June 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0026 17.3th percentile
Risk Priority 15 floored blend · peak EPSS

Summary

CVE-2026-42770 is a low-severity Missing Cryptographic Step (CWE-325) vulnerability in Openssl Openssl. Its CVSS base score is 3.7 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Credential Access (T1212); ranked at the 17.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2026-42770 is an improper input validation flaw in OpenSSL's handling of Diffie-Hellman X9.42 (DHX) keys. When EVP_PKEY_derive_set_peer() receives a peer key, the subgroup membership check Y^q ≡ 1 (mod p) is performed using the peer-supplied q value rather than the local key's q, and the subsequent domain-parameter match does not compare q at all. The issue affects the FIPS modules in OpenSSL 4.0, 3.6, 3.5, 3.4, and 3.0 and is tracked under CWE-325 with a CVSS 3.1 score of 3.7.

An attacker who can supply a DHX peer key to a victim performing key derivation can present a malicious X9.42 structure containing the victim's p and g, a forged small-prime q = r drawn from the cofactor, and a public value Y of order r. This passes all validation checks, after which the shared secret is confined to only r possible values and leaks the victim's private key modulo r. Repeating the exchange for each small prime factor of the cofactor and combining results via the Chinese Remainder Theorem recovers the full private key after a modest number of interactions.

The realistic attack surface is described as narrow and primarily limited to CMP deployments that use long-lived RA/CA DHX keys or bespoke enterprise and government applications employing static X9.42 keys in interactive protocols; the issue was therefore rated low severity. Public references consist of five OpenSSL commits that implement the corrective subgroup checks and parameter validation. The current EPSS remains at 0.0001 with no material increase observed.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership. Impact summary: A malicious peer which presents an X9.42 key carrying the victim's p and g parameters,…

more

a forged q = r (a small prime factor of the cofactor (p−1)/q_local), and a public value Y of order r can recover the victim's private key after a small number of key exchange attempts. When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the subgroup membership check Y^q ≡ 1 (mod p) is performed using the peer's own q parameter, not the local key's q. The peer's domain parameters are then matched against the domain parameters of the private key, but the value of q is not compared. A malicious peer who presents an X9.42 key carrying the victim's p, g, a forged q = r (a small prime factor of the cofactor), and a public value Y of order r passes all checks. The shared secret then takes only r distinct values, leaking priv mod r. Repeating for each small-prime factor of the cofactor and combining via CRT recovers the full private key (Lim–Lee / small-subgroup-confinement attack). The realistic attack surface is narrow: principally CMP deployments with long-lived RA/CA DHX keys and bespoke enterprise or government applications using X9.42 DHX static keys with interactive protocols and therefore this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1212 Exploitation for Credential Access Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
Why these techniques?

CVE enables private key recovery via malicious DHX peer key, directly matching Exploitation for Credential Access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42768Same product: Openssl Openssl
CVE-2026-45446Same product: Openssl Openssl
CVE-2026-45445Same product: Openssl Openssl
CVE-2026-42769Same product: Openssl Openssl
CVE-2026-31789Same product: Openssl Openssl
CVE-2026-7383Same product: Openssl Openssl
CVE-2023-6129Same product: Openssl Openssl
CVE-2026-28386Same product: Openssl Openssl
CVE-2022-4203Same product: Openssl Openssl
CVE-2026-28387Same product: Openssl Openssl

Affected Assets

openssl
openssl
4.0.0 · 3.0.0 — 3.0.21 · 3.4.0 — 3.4.6 · 3.5.0 — 3.5.7

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

Hardening callouts derived

Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).

Oracle Linux 8 (2 rules)
  • V-248524 OL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. via CWE-325
  • V-248535 The OL 8 shadow password suite must be configured to use a sufficient number of hashing rounds. via CWE-325
Oracle Linux 9 (1 rule)
  • V-271454 OL 9 must enable FIPS mode. via CWE-325
RHEL 7 (1 rule)
  • V-204497 The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. via CWE-325
RHEL 8 (1 rule)
  • V-230223 RHEL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. via CWE-325
Ubuntu 22.04 (1 rule)
  • V-260650 Ubuntu 22.04 LTS must implement NIST FIPS-validated cryptography to protect classified information and for the following: To provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. via CWE-325
Ubuntu 24.04 (1 rule)
  • V-270744 Ubuntu 24.04 LTS must implement NIST FIPS-validated cryptography to protect classified information and for the following: To provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. via CWE-325

References