CVE-2021-40530
Description
CVE-2021-40530 describes a cross-configuration attack in Crypto++ through 8.5 where unsafe ElGamal parameters allow plaintext recovery in OpenPGP.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2021-40530 describes a cross-configuration attack in Crypto++ through 8.5 where unsafe ElGamal parameters allow plaintext recovery in OpenPGP.
Vulnerability
The vulnerability resides in the ElGamal implementation in Crypto++ versions through 8.5 [1][3]. During interaction between two cryptographic libraries—specifically, when a sender uses Crypto++ to encrypt a message with an OpenPGP public key generated by another library—a dangerous combination of the prime and generator defined by the receiver's public key and the sender's ephemeral exponents leads to a cross-configuration attack [1][3]. This occurs because different OpenPGP implementations interpret the ElGamal component of the OpenPGP standard in subtly different ways, creating interoperability mismatches that expose plaintexts [1][3].
Exploitation
An attacker can recover the plaintext from a single captured ciphertext without needing the private key [1][3]. The attacker only needs network access to observe ciphertexts; no authentication or interaction with the sender or receiver is required [1]. The attack exploits the fact that one implementation's ciphertext generation can be decrypted by an arbitrary library using the same public key, due to incompatible parameter handling [1][3]. Over 2,000 vulnerable public keys were identified in the wild [1].
Impact
Successful exploitation leads to complete disclosure of the plaintext encrypted in the affected ciphertext [1][3]. The confidentiality of the encrypted data is fully compromised. The attack does not recover the private key, so only the specific ciphertexts generated under the vulnerable cross-configuration are affected; future communications are not automatically compromised unless the same parameter mismatch persists [1][3].
Mitigation
As of the publication date (2021-09-06), no fixed version of Crypto++ has been released [1][2]. The advised mitigation is for implementations to strictly adhere to the OpenPGP specification by properly validating and using the prime and generator from the public key, and to avoid generating ElGamal keys with unsafe parameters [1][3]. Users should ensure their OpenPGP libraries are updated to handle ElGamal consistently; the researchers recommended using libraries that implement the standard without deviations [1]. Workarounds include not using ElGamal encryption in OpenPGP or generating keys with carefully chosen parameters [1][3].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Crypto++/Crypto++description
- Range: <=8.5
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Incompatible parameter choices between OpenPGP libraries (Crypto++ using safe primes with prime-order subgroup generators and short exponents, interacting with libraries using full-group generators) enable a cross-configuration attack that allows plaintext recovery via Pohlig–Hellman and Baby-step giant-step discrete log computations."
Attack vector
The attack is a cross-configuration attack: when a sender using one OpenPGP library (e.g., Libgcrypt) encrypts to a receiver whose public key was generated by Crypto++, the interaction of incompatible parameter choices enables plaintext recovery from a single ciphertext [ref_id=1]. Specifically, if the receiver's public key uses a safe prime with a generator of the prime-order subgroup (Crypto++ style), but the sender uses short ephemeral exponents and a generator of the full group (Libgcrypt style), an attacker can combine Pohlig–Hellman and Baby-step giant-step algorithms to compute the ephemeral secret y and decrypt the message [ref_id=1]. The attacker needs only the public key and a single captured ciphertext; no authentication or special network position is required.
Affected code
The vulnerability lies in the ElGamal implementation in Crypto++ through version 8.5. The advisory does not specify exact file paths or function names, but identifies the root cause as the combination of Crypto++'s default parameter choices: safe primes (p = 2q + 1), a generator g that is the smallest quadratic residue (generating the subgroup of order q), and short exponents for both the secret key x and ephemeral exponent y (sampled between 1 and 2^n, with n=226 for 2048-bit p) [ref_id=1].
What the fix does
The advisory does not provide a specific patch or code fix. The recommended remediation is for implementations to avoid the dangerous combination of parameter choices that enables cross-configuration attacks [ref_id=1]. Specifically, libraries should ensure that the ephemeral exponent y is sampled from the full range up to p-1 (as the Go standard library does) rather than using short exponents, or alternatively ensure that the generator g generates the full group of order p-1 rather than a prime-order subgroup [ref_id=1]. Users are advised to generate new keys using implementations that follow these safer parameter choices.
Preconditions
- configThe receiver's public key must have been generated by Crypto++ (or a library with equivalent parameter choices: safe prime, generator of prime-order subgroup, short exponents)
- configThe sender must use a library (e.g., Libgcrypt) that uses a generator of the full group and short ephemeral exponents
- inputThe attacker must have access to a single ciphertext encrypted under the receiver's public key
- networkNo authentication or special network access is required; the attack is purely cryptographic
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/57OJA2K5AHX5HAU2QBDRWLGIIUX7GASC/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HGVBZ2TTRKCTYAZTRHTF6OBD4W37F5MT/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJYOZGWI7TD27SEXILSM6VUTPPEICDL7/mitrevendor-advisoryx_refsource_FEDORA
- eprint.iacr.org/2021/923mitrex_refsource_MISC
- ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1mitrex_refsource_MISC
- ibm.github.io/system-security-research-updates/2021/09/06/insecurity-elgamal-pt2mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.