CVE-2026-14570 in Crypt::DSA
Summary
by MITRE • 07/05/2026
Crypt::DSA versions before 1.22 for Perl draw the DSA signing nonce and private key from a biased random generator, leading to private-key recovery.
"Crypt::DSA::Util::makerandom forces the high bit of every value it returns to obtain an exactly N-bit integer for prime search. The signing nonce and the private key are drawn from makerandom. Because the high bit is always set, the result is not uniform: its top bit is fixed, producing insecure values."
An attacker who collects a modest number of signatures under an affected key, together with the public key, can recover the private key with a lattice attack.
Keys used to sign with an affected version should be considered compromised and new keys should be generated.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/05/2026
The vulnerability in Crypt::DSA versions prior to 1.22 represents a critical cryptographic weakness that fundamentally compromises the security of digital signatures generated by affected systems. This flaw stems from improper random number generation during the DSA signing process, specifically through the Crypt::DSA::Util::makerandom function which systematically forces the high bit of generated values to ensure exactly N-bit integers for prime searches. The implementation, while intended to maintain proper bit length requirements for cryptographic operations, introduces a significant bias into the random number generation process that affects both the DSA signing nonce and the private key itself.
The technical flaw manifests as a non-uniform distribution in the random values generated by makerandom, where the most significant bit is consistently set to one. This deterministic bias creates predictable patterns in the generated numbers that should otherwise be cryptographically secure and uniformly distributed. According to CWE-330, this represents a weakness in randomness where insufficient entropy leads to predictable outputs that can be exploited by attackers. The biased generation process violates fundamental cryptographic principles requiring truly random values for security-critical operations such as DSA signing, where both the nonce and private key must maintain statistical independence and uniform distribution to prevent compromise.
The operational impact of this vulnerability extends far beyond simple signature forgery, as it enables complete private key recovery through sophisticated lattice-based attacks. An attacker who can collect only a modest number of signatures generated using an affected Crypt::DSA version can leverage the biased random values to reconstruct the private key components. This attack vector aligns with ATT&CK technique T1556.004, which involves credential access through cryptographic key recovery. The lattice attack exploits the mathematical relationships between the biased nonce values and the private key, effectively transforming a computationally infeasible problem into one that can be solved with sufficient signature samples. This represents a severe degradation of security where previously secure cryptographic operations become completely vulnerable to compromise.
The implications of this vulnerability require immediate remediation actions including the generation of new cryptographic keys for all systems using affected versions of Crypt::DSA. The compromised keys must be considered invalid and replaced with fresh key pairs generated using properly implemented random number generators that meet cryptographic standards. Organizations should implement comprehensive key rotation procedures across all affected systems, update to Crypt::DSA version 1.22 or later where the bias has been corrected, and verify that all signature generation processes use cryptographically secure random number generation functions. This vulnerability demonstrates the critical importance of proper entropy management in cryptographic implementations and serves as a reminder that seemingly minor implementation details can have catastrophic security consequences when they compromise the fundamental randomness requirements of cryptographic algorithms.