OpenSSL up to 4.0.0 EVP_PKEY_derive_set_peer missing cryptographic step

Summaryinfo

A vulnerability categorized as problematic has been discovered in OpenSSL up to 3.0.20/3.4.5/3.5.6/3.6.2/4.0.0. This affects the function EVP_PKEY_derive_set_peer. Executing a manipulation can lead to missing cryptographic step. This vulnerability is registered as CVE-2026-42770. It is possible to launch the attack remotely. No exploit is available. It is advisable to upgrade the affected component.

Detailsinfo

A vulnerability has been found in OpenSSL up to 3.0.20/3.4.5/3.5.6/3.6.2/4.0.0 and classified as problematic. This vulnerability affects the function EVP_PKEY_derive_set_peer. The manipulation with an unknown input leads to a missing cryptographic step vulnerability. The CWE definition for the vulnerability is CWE-325. The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm. As an impact it is known to affect confidentiality. CVE summarizes:

Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership. Impact summary: A malicious peer which presents an X9.42 key carrying the victim's p and g parameters, a forged q = r (a small prime factor of the cofactor (p−1)/q_local), and a public value Y of order r can recover the victim's private key after a small number of key exchange attempts. When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the subgroup membership check Y^q ≡ 1 (mod p) is performed using the peer's own q parameter, not the local key's q. The peer's domain parameters are then matched against the domain parameters of the private key, but the value of q is not compared. A malicious peer who presents an X9.42 key carrying the victim's p, g, a forged q = r (a small prime factor of the cofactor), and a public value Y of order r passes all checks. The shared secret then takes only r distinct values, leaking priv mod r. Repeating for each small-prime factor of the cofactor and combining via CRT recovers the full private key (Lim–Lee / small-subgroup-confinement attack). The realistic attack surface is narrow: principally CMP deployments with long-lived RA/CA DHX keys and bespoke enterprise or government applications using X9.42 DHX static keys with interactive protocols and therefore this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this issue.

The advisory is shared for download at openssl-library.org. This vulnerability was named CVE-2026-42770 since 04/29/2026. The exploitation appears to be difficult. The attack can be initiated remotely. There are known technical details, but no exploit is available. The current price for an exploit might be approx. USD $0-$5k (estimation calculated on 06/09/2026). The MITRE ATT&CK project declares the attack technique as T1600.

Upgrading to version 3.0.21, 3.4.6, 3.5.7, 3.6.3 or 4.0.1 eliminates this vulnerability.

Once again VulDB remains the best source for vulnerability data.

Productinfo

Type

• Network Encryption Software

Name

• OpenSSL

Version

• 3.0.0
• 3.0.1
• 3.0.2
• 3.0.3
• 3.0.4
• 3.0.5
• 3.0.6
• 3.0.7
• 3.0.8
• 3.0.9
• 3.0.10
• 3.0.11
• 3.0.12
• 3.0.13
• 3.0.14
• 3.0.15
• 3.0.16
• 3.0.17
• 3.0.18
• 3.0.19
• 3.0.20
• 3.4.0
• 3.4.1
• 3.4.2
• 3.4.3
• 3.4.4
• 3.4.5
• 3.5.0
• 3.5.1
• 3.5.2
• 3.5.3
• 3.5.4
• 3.5.5
• 3.5.6
• 3.6.0
• 3.6.1
• 3.6.2
• 4.0

License

• open-source

Website

• Product: https://www.openssl.org/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion