CVE-2026-42770

Vulnerability

When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the subgroup membership check Y^q ≡ 1 (mod p) is performed using the peer's own q parameter, not the local key's q. The peer's domain parameters are matched against the domain parameters of the private key, but the value of q is not compared. This affects OpenSSL FIPS modules in versions 4.0, 3.6, 3.5, 3.4, and 3.0 [1].

Exploitation

A malicious peer can present an X9.42 key with the victim's p and g parameters, a forged q (a small prime factor of the cofactor), and a public value Y of order r. This forged key passes the checks, allowing the attacker to recover the victim's private key modulo r after a small number of key exchange attempts. By repeating this for each small-prime factor of the cofactor and combining the results via the Chinese Remainder Theorem (CRT), the attacker can recover the full private key. This is known as a Lim–Lee / small-subgroup-confinement attack [1].

Impact

Successful exploitation allows an attacker to recover the victim's private key. The realistic attack surface is narrow, primarily affecting CMP deployments with long-lived RA/CA DHX keys and bespoke enterprise or government applications using X9.42 DHX static keys with interactive protocols. This issue was assigned a Low severity due to this narrow attack surface [1].

Mitigation

Not yet disclosed in the available references.