OpenSSL
Moderate fix5 remedies
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*, +1 more
Moderate fix5 remedies
- >= 4.0, < 4.0.1
- >= 3.6, < 3.6.3
- >= 3.5, < 3.5.7
- >= 3.4, < 3.4.6
- >= 3.0, < 3.0.21
OpenSSL FFC-DH Peer Validation Uses Attacker-Supplied q Vulnerability
Vulnerability
Patched
A vulnerability exists in OpenSSL's handling of Diffie-Hellman key exchange with DHX (X9.42) peer keys. When the function EVP_PKEY_derive_set_peer() is called, the peer key's subgroup membership is not properly validated. This flaw allows a malicious peer to present a key that can be used to recover the victim's private key after a few key exchange attempts. The vulnerability affects OpenSSL versions 4.0, 3.6, 3.5, 3.4, and 3.0.
Impact
Exploitation of this vulnerability allows a malicious peer to recover the victim's private key by taking advantage of the improper validation of the peer key's subgroup membership.
Reproduction
To reproduce this vulnerability, a malicious peer must present a DHX key that includes the victim's p and g parameters, a forged q value that is a small prime factor of the cofactor, and a public value Y of order r. The victim's private key can then be recovered after a small number of key exchange attempts.
Remediation
Users of OpenSSL 4.0 should upgrade to OpenSSL 4.0.1. Users of OpenSSL 3.6 should upgrade to OpenSSL 3.6.3. Users of OpenSSL 3.5 should upgrade to OpenSSL 3.5.7. Users of OpenSSL 3.4 should upgrade to OpenSSL 3.4.6. Users of OpenSSL 3.0 should upgrade to OpenSSL 3.0.21.
Added: Jun 9, 2026, 8:02 PM
Updated: Jun 9, 2026, 8:02 PM
Vulnerability Rating
Custom Algorithm
spread
8.6impact
2.5exploitability
8.0remediation
7.7relevance
9.4threat
4.8urgency
2.9incentive
4.2Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.