FKIE_CVE-2026-2673

Vulnerability from fkie_nvd - Published: 2026-03-13 19:54 - Updated: 2026-05-13 19:17
Severity ?
7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Summary
Issue summary: An OpenSSL TLS 1.3 server may fail to negotiate the expected preferred key exchange group when its key exchange group configuration includes the default by using the 'DEFAULT' keyword. Impact summary: A less preferred key exchange may be used even when a more preferred group is supported by both client and server, if the group was not included among the client's initial predicated keyshares. This will sometimes be the case with the new hybrid post-quantum groups, if the client chooses to defer their use until specifically requested by the server. If an OpenSSL TLS 1.3 server's configuration uses the 'DEFAULT' keyword to interpolate the built-in default group list into its own configuration, perhaps adding or removing specific elements, then an implementation defect causes the 'DEFAULT' list to lose its 'tuple' structure, and all server-supported groups were treated as a single sufficiently secure 'tuple', with the server not sending a Hello Retry Request (HRR) even when a group in a more preferred tuple was mutually supported. As a result, the client and server might fail to negotiate a mutually supported post-quantum key agreement group, such as 'X25519MLKEM768', if the client's configuration results in only 'classical' groups (such as 'X25519' being the only ones in the client's initial keyshare prediction). OpenSSL 3.5 and later support a new syntax for selecting the most preferred TLS 1.3 key agreement group on TLS servers. The old syntax had a single 'flat' list of groups, and treated all the supported groups as sufficiently secure. If any of the keyshares predicted by the client were supported by the server the most preferred among these was selected, even if other groups supported by the client, but not included in the list of predicted keyshares would have been more preferred, if included. The new syntax partitions the groups into distinct 'tuples' of roughly equivalent security. Within each tuple the most preferred group included among the client's predicted keyshares is chosen, but if the client supports a group from a more preferred tuple, but did not predict any corresponding keyshares, the server will ask the client to retry the ClientHello (by issuing a Hello Retry Request or HRR) with the most preferred mutually supported group. The above works as expected when the server's configuration uses the built-in default group list, or explicitly defines its own list by directly defining the various desired groups and group 'tuples'. No OpenSSL FIPS modules are affected by this issue, the code in question lies outside the FIPS boundary. OpenSSL 3.6 and 3.5 are vulnerable to this issue. OpenSSL 3.6 users should upgrade to OpenSSL 3.6.2 once it is released. OpenSSL 3.5 users should upgrade to OpenSSL 3.5.6 once it is released. OpenSSL 3.4, 3.3, 3.0, 1.0.2 and 1.1.1 are not affected by this issue.
References
openssl-security@openssl.orghttps://github.com/openssl/openssl/commit/2157c9d81f7b0bd7dfa25b960e928ec28e8dd63f
openssl-security@openssl.orghttps://github.com/openssl/openssl/commit/85977e013f32ceb96aa034c0e741adddc1a05e34
openssl-security@openssl.orghttps://openssl-library.org/news/secadv/20260313.txt
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2026/03/13/3
0b142b55-0307-4c5a-b3c9-f314f3fb7c5ehttps://cert-portal.siemens.com/productcert/html/ssa-032379.html
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Issue summary: An OpenSSL TLS 1.3 server may fail to negotiate the expected\npreferred key exchange group when its key exchange group configuration includes\nthe default by using the \u0027DEFAULT\u0027 keyword.\n\nImpact summary: A less preferred key exchange may be used even when a more\npreferred group is supported by both client and server, if the group\nwas not included among the client\u0027s initial predicated keyshares.\nThis will sometimes be the case with the new hybrid post-quantum groups,\nif the client chooses to defer their use until specifically requested by\nthe server.\n\nIf an OpenSSL TLS 1.3 server\u0027s configuration uses the \u0027DEFAULT\u0027 keyword to\ninterpolate the built-in default group list into its own configuration, perhaps\nadding or removing specific elements, then an implementation defect causes the\n\u0027DEFAULT\u0027 list to lose its \u0027tuple\u0027 structure, and all server-supported groups\nwere treated as a single sufficiently secure \u0027tuple\u0027, with the server not\nsending a Hello Retry Request (HRR) even when a group in a more preferred tuple\nwas mutually supported.\n\nAs a result, the client and server might fail to negotiate a mutually supported\npost-quantum key agreement group, such as \u0027X25519MLKEM768\u0027, if the client\u0027s\nconfiguration results in only \u0027classical\u0027 groups (such as \u0027X25519\u0027 being the\nonly ones in the client\u0027s initial keyshare prediction).\n\nOpenSSL 3.5 and later support a new syntax for selecting the most preferred TLS\n1.3 key agreement group on TLS servers.  The old syntax had a single \u0027flat\u0027\nlist of groups, and treated all the supported groups as sufficiently secure.\nIf any of the keyshares predicted by the client were supported by the server\nthe most preferred among these was selected, even if other groups supported by\nthe client, but not included in the list of predicted keyshares would have been\nmore preferred, if included.\n\nThe new syntax partitions the groups into distinct \u0027tuples\u0027 of roughly\nequivalent security.  Within each tuple the most preferred group included among\nthe client\u0027s predicted keyshares is chosen, but if the client supports a group\nfrom a more preferred tuple, but did not predict any corresponding keyshares,\nthe server will ask the client to retry the ClientHello (by issuing a Hello\nRetry Request or HRR) with the most preferred mutually supported group.\n\nThe above works as expected when the server\u0027s configuration uses the built-in\ndefault group list, or explicitly defines its own list by directly defining the\nvarious desired groups and group \u0027tuples\u0027.\n\nNo OpenSSL FIPS modules are affected by this issue, the code in question lies\noutside the FIPS boundary.\n\nOpenSSL 3.6 and 3.5 are vulnerable to this issue.\n\nOpenSSL 3.6 users should upgrade to OpenSSL 3.6.2 once it is released.\nOpenSSL 3.5 users should upgrade to OpenSSL 3.5.6 once it is released.\n\nOpenSSL 3.4, 3.3, 3.0, 1.0.2 and 1.1.1 are not affected by this issue."
    },
    {
      "lang": "es",
      "value": "Resumen del problema: Un servidor OpenSSL TLS 1.3 puede fallar al negociar el grupo de intercambio de claves preferido esperado cuando su configuraci\u00f3n de grupo de intercambio de claves incluye el predeterminado al usar la palabra clave \u0027DEFAULT\u0027.\n\nResumen del impacto: Un intercambio de claves menos preferido puede ser usado incluso cuando un grupo m\u00e1s preferido es soportado tanto por el cliente como por el servidor, si el grupo no fue incluido entre los keyshares iniciales predichos del cliente. Este ser\u00e1 a veces el caso con los nuevos grupos h\u00edbridos post-cu\u00e1nticos, si el cliente elige aplazar su uso hasta que sea solicitado espec\u00edficamente por el servidor.\n\nSi la configuraci\u00f3n de un servidor OpenSSL TLS 1.3 usa la palabra clave \u0027DEFAULT\u0027 para interpolar la lista de grupos predeterminada incorporada en su propia configuraci\u00f3n, quiz\u00e1s a\u00f1adiendo o eliminando elementos espec\u00edficos, entonces un defecto de implementaci\u00f3n causa que la lista \u0027DEFAULT\u0027 pierda su estructura de \u0027tupla\u0027, y todos los grupos soportados por el servidor fueron tratados como una \u00fanica \u0027tupla\u0027 suficientemente segura, con el servidor no enviando una Solicitud de Reintento de Hello (HRR) incluso cuando un grupo en una tupla m\u00e1s preferida era mutuamente soportado.\n\nComo resultado, el cliente y el servidor podr\u00edan fallar al negociar un grupo de acuerdo de clave post-cu\u00e1ntico mutuamente soportado, como \u0027X25519MLKEM768\u0027, si la configuraci\u00f3n del cliente resulta en solo grupos \u0027cl\u00e1sicos\u0027 (como \u0027X25519\u0027 siendo los \u00fanicos en la predicci\u00f3n inicial de keyshare del cliente).\n\nOpenSSL 3.5 y posteriores soportan una nueva sintaxis para seleccionar el grupo de acuerdo de clave TLS 1.3 m\u00e1s preferido en servidores TLS. La sintaxis antigua ten\u00eda una \u00fanica lista \u0027plana\u0027 de grupos, y trataba todos los grupos soportados como suficientemente seguros. Si alguno de los keyshares predichos por el cliente era soportado por el servidor, el m\u00e1s preferido entre estos era seleccionado, incluso si otros grupos soportados por el cliente, pero no incluidos en la lista de keyshares predichos, habr\u00edan sido m\u00e1s preferidos, si se hubieran incluido.\n\nLa nueva sintaxis particiona los grupos en \u0027tuplas\u0027 distintas de seguridad aproximadamente equivalente. Dentro de cada tupla se elige el grupo m\u00e1s preferido incluido entre los keyshares predichos del cliente, pero si el cliente soporta un grupo de una tupla m\u00e1s preferida, pero no predijo ning\u00fan keyshare correspondiente, el servidor pedir\u00e1 al cliente que reintente el ClientHello (emitiendo una Solicitud de Reintento de Hello o HRR) con el grupo mutuamente soportado m\u00e1s preferido.\n\nLo anterior funciona como se espera cuando la configuraci\u00f3n del servidor usa la lista de grupos predeterminada incorporada, o define expl\u00edcitamente su propia lista definiendo directamente los diversos grupos y \u0027tuplas\u0027 de grupo deseados.\n\nNing\u00fan m\u00f3dulo FIPS de OpenSSL est\u00e1 afectado por este problema, el c\u00f3digo en cuesti\u00f3n se encuentra fuera del l\u00edmite FIPS.\n\nOpenSSL 3.6 y 3.5 son vulnerables a este problema.\n\nLos usuarios de OpenSSL 3.6 deber\u00edan actualizar a OpenSSL 3.6.2 una vez que sea lanzado.\nLos usuarios de OpenSSL 3.5 deber\u00edan actualizar a OpenSSL 3.5.6 una vez que sea lanzado.\n\nOpenSSL 3.4, 3.3, 3.0, 1.0.2 y 1.1.1 no est\u00e1n afectados por este problema."
    }
  ],
  "id": "CVE-2026-2673",
  "lastModified": "2026-05-13T19:17:04.947",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.3,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.4,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-13T19:54:34.033",
  "references": [
    {
      "source": "openssl-security@openssl.org",
      "url": "https://github.com/openssl/openssl/commit/2157c9d81f7b0bd7dfa25b960e928ec28e8dd63f"
    },
    {
      "source": "openssl-security@openssl.org",
      "url": "https://github.com/openssl/openssl/commit/85977e013f32ceb96aa034c0e741adddc1a05e34"
    },
    {
      "source": "openssl-security@openssl.org",
      "url": "https://openssl-library.org/news/secadv/20260313.txt"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.openwall.com/lists/oss-security/2026/03/13/3"
    },
    {
      "source": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
    }
  ],
  "sourceIdentifier": "openssl-security@openssl.org",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-757"
        }
      ],
      "source": "openssl-security@openssl.org",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.