Low

OpenSSL FFC-DH Peer Validation Uses Attacker-Supplied q

IdentifiersCVE-2026-42770CWE-347

CVE-2026-42770 is an improper finite-field Diffie-Hellman peer-key validation flaw in OpenSSL affecting DHX (X9.42) key agreement through EVP_PKEY_derive_set_peer(). When a DHX peer key is supplied, OpenSSL performs the subgroup membership check Y^q ≡ 1 (mod p) using the q value embedded in the attacker-controlled peer key rather than the local private key's q. Although the peer domain parameters are later compared against the local key's parameters, q is not compared, allowing a malicious peer to provide the victim's p and g, a forged small-prime q value, and a public key Y of corresponding small order that passes validation. This enables a Lim-Lee/small-subgroup-confinement attack in which repeated exchanges leak the victim private key modulo small factors of the cofactor; combining the residues via CRT can recover the full private key. The advisory notes the practical exposure is narrow, primarily CMP deployments with long-lived RA/CA DHX keys and bespoke enterprise or government applications using X9.42 DHX static keys in interactive protocols. OpenSSL FIPS modules in the 4.0, 3.6, 3.5, 3.4, and 3.0 lines are affected.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

A malicious peer can recover the victim's static DHX private key after a small number of crafted key exchange attempts. By forcing the shared secret into attacker-chosen small subgroups, the attacker learns the private exponent modulo each small prime factor of the cofactor and can reconstruct the full private key using the Chinese Remainder Theorem. Successful exploitation compromises the confidentiality of the private key and any security properties that depend on it, including future key exchanges performed with that long-lived key and potential impersonation or decryption capabilities in affected deployments.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by avoiding affected DHX (X9.42) static-key deployments, especially long-lived RA/CA DHX keys in CMP environments and bespoke interactive protocols using static DHX keys. Prefer ephemeral key exchange mechanisms or configurations that do not rely on DHX peer keys processed via EVP_PKEY_derive_set_peer(). Limit untrusted peers' ability to initiate repeated key exchanges with the same long-lived key material until fixed releases are installed. No specific vendor workaround beyond upgrading is provided in the supplied content.

Remediation

Patch, then assume compromise.

Upgrade to an OpenSSL release containing the vendor fix. The provided content indicates fixes were issued in OpenSSL 4.0.1, 3.6.3, 3.5.7, 3.4.6, and 3.0.21, and downstream vendors should be updated to packages incorporating those fixes. Because the flaw also affects the OpenSSL FIPS modules in the 4.0, 3.6, 3.5, 3.4, and 3.0 branches, environments relying on those modules should ensure the corrected module/package versions are deployed.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

FreebsdFreebsdapplication

OpenSSL Software FoundationOpensslapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

alpinelinuxNews

Jun 13, 2026

Alpine 3.24.1 released | Alpine Linux

An OpenSSL vulnerability addressed in Alpine Linux 3.24.1 as part of the June 9, 2026 advisory.

openssl libraryNews

Jun 9, 2026

Vulnerabilities 4.0 | OpenSSL Library

A low-severity OpenSSL DHX peer validation flaw where subgroup membership checks use attacker-supplied q, enabling small-subgroup confinement attacks and possible private key recovery in narrow scenarios.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-42770

NVD

nvd.nist.gov/vuln/detail/CVE-2026-42770

MITRE CWE · CWE-347

cwe.mitre.org

Patch

github.com/openssl/openssl/commit/3da5a516cd2635a320ff748503db2cef7c4b0f02

Patch

github.com/openssl/openssl/commit/3ddbb7ab50bd93dfc59cbe08e269a67605aeebdb

Patch

github.com/openssl/openssl/commit/5f452bba2c681423d8fcffd120a19b757ee42e3c

Patch

github.com/openssl/openssl/commit/7fbfde7677ed8808828bf00ff01c937ca04bdda2

Patch

github.com/openssl/openssl/commit/ca2237ab5615641b662183b077f62c08d75e8070

Vendor Advisory

openssl-library.org/news/secadv/20260609.txt