CVE-2026-2673 (GCVE-0-2026-2673)

Vulnerability from cvelistv5 – Published: 2026-03-13 13:23 – Updated: 2026-05-18 19:23
VLAI
Title
OpenSSL TLS 1.3 server may choose unexpected key agreement group
Summary
Issue summary: An OpenSSL TLS 1.3 server may fail to negotiate the expected preferred key exchange group when its key exchange group configuration includes the default by using the 'DEFAULT' keyword. Impact summary: A less preferred key exchange may be used even when a more preferred group is supported by both client and server, if the group was not included among the client's initial predicated keyshares. This will sometimes be the case with the new hybrid post-quantum groups, if the client chooses to defer their use until specifically requested by the server. If an OpenSSL TLS 1.3 server's configuration uses the 'DEFAULT' keyword to interpolate the built-in default group list into its own configuration, perhaps adding or removing specific elements, then an implementation defect causes the 'DEFAULT' list to lose its 'tuple' structure, and all server-supported groups were treated as a single sufficiently secure 'tuple', with the server not sending a Hello Retry Request (HRR) even when a group in a more preferred tuple was mutually supported. As a result, the client and server might fail to negotiate a mutually supported post-quantum key agreement group, such as 'X25519MLKEM768', if the client's configuration results in only 'classical' groups (such as 'X25519' being the only ones in the client's initial keyshare prediction). OpenSSL 3.5 and later support a new syntax for selecting the most preferred TLS 1.3 key agreement group on TLS servers. The old syntax had a single 'flat' list of groups, and treated all the supported groups as sufficiently secure. If any of the keyshares predicted by the client were supported by the server the most preferred among these was selected, even if other groups supported by the client, but not included in the list of predicted keyshares would have been more preferred, if included. The new syntax partitions the groups into distinct 'tuples' of roughly equivalent security. Within each tuple the most preferred group included among the client's predicted keyshares is chosen, but if the client supports a group from a more preferred tuple, but did not predict any corresponding keyshares, the server will ask the client to retry the ClientHello (by issuing a Hello Retry Request or HRR) with the most preferred mutually supported group. The above works as expected when the server's configuration uses the built-in default group list, or explicitly defines its own list by directly defining the various desired groups and group 'tuples'. No OpenSSL FIPS modules are affected by this issue, the code in question lies outside the FIPS boundary. OpenSSL 3.6 and 3.5 are vulnerable to this issue. OpenSSL 3.6 users should upgrade to OpenSSL 3.6.2 once it is released. OpenSSL 3.5 users should upgrade to OpenSSL 3.5.6 once it is released. OpenSSL 3.4, 3.3, 3.0, 1.0.2 and 1.1.1 are not affected by this issue.
Severity
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-757 - Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
Assigner
References
Impacted products
Vendor Product Version
OpenSSL OpenSSL Affected: 3.6.0 , < 3.6.2 (semver)
Affected: 3.5.0 , < 3.5.6 (semver)
Create a notification for this product.
Siemens SIMATIC CN 4100 Affected: 0 , < V5.0 (custom)
Create a notification for this product.
Date Public
2026-03-13 14:00
Credits
Viktor Dukhovni Viktor Dukhovni
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-03-13T15:15:21.059Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/03/13/3"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-2673",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-17T17:17:17.444679Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-18T19:23:37.078Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC CN 4100",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V5.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T12:08:46.771Z",
          "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
          "shortName": "siemens-SADP"
        },
        "references": [
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
          }
        ],
        "x_adpType": "supplier"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "OpenSSL",
          "vendor": "OpenSSL",
          "versions": [
            {
              "lessThan": "3.6.2",
              "status": "affected",
              "version": "3.6.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.5.6",
              "status": "affected",
              "version": "3.5.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Viktor Dukhovni"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Viktor Dukhovni"
        }
      ],
      "datePublic": "2026-03-13T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Issue summary: An OpenSSL TLS 1.3 server may fail to negotiate the expected\u003cbr\u003epreferred key exchange group when its key exchange group configuration includes\u003cbr\u003ethe default by using the \u0027DEFAULT\u0027 keyword.\u003cbr\u003e\u003cbr\u003eImpact summary: A less preferred key exchange may be used even when a more\u003cbr\u003epreferred group is supported by both client and server, if the group\u003cbr\u003ewas not included among the client\u0027s initial predicated keyshares.\u003cbr\u003eThis will sometimes be the case with the new hybrid post-quantum groups,\u003cbr\u003eif the client chooses to defer their use until specifically requested by\u003cbr\u003ethe server.\u003cbr\u003e\u003cbr\u003eIf an OpenSSL TLS 1.3 server\u0027s configuration uses the \u0027DEFAULT\u0027 keyword to\u003cbr\u003einterpolate the built-in default group list into its own configuration, perhaps\u003cbr\u003eadding or removing specific elements, then an implementation defect causes the\u003cbr\u003e\u0027DEFAULT\u0027 list to lose its \u0027tuple\u0027 structure, and all server-supported groups\u003cbr\u003ewere treated as a single sufficiently secure \u0027tuple\u0027, with the server not\u003cbr\u003esending a Hello Retry Request (HRR) even when a group in a more preferred tuple\u003cbr\u003ewas mutually supported.\u003cbr\u003e\u003cbr\u003eAs a result, the client and server might fail to negotiate a mutually supported\u003cbr\u003epost-quantum key agreement group, such as \u0027X25519MLKEM768\u0027, if the client\u0027s\u003cbr\u003econfiguration results in only \u0027classical\u0027 groups (such as \u0027X25519\u0027 being the\u003cbr\u003eonly ones in the client\u0027s initial keyshare prediction).\u003cbr\u003e\u003cbr\u003eOpenSSL 3.5 and later support a new syntax for selecting the most preferred TLS\u003cbr\u003e1.3 key agreement group on TLS servers.  The old syntax had a single \u0027flat\u0027\u003cbr\u003elist of groups, and treated all the supported groups as sufficiently secure.\u003cbr\u003eIf any of the keyshares predicted by the client were supported by the server\u003cbr\u003ethe most preferred among these was selected, even if other groups supported by\u003cbr\u003ethe client, but not included in the list of predicted keyshares would have been\u003cbr\u003emore preferred, if included.\u003cbr\u003e\u003cbr\u003eThe new syntax partitions the groups into distinct \u0027tuples\u0027 of roughly\u003cbr\u003eequivalent security.  Within each tuple the most preferred group included among\u003cbr\u003ethe client\u0027s predicted keyshares is chosen, but if the client supports a group\u003cbr\u003efrom a more preferred tuple, but did not predict any corresponding keyshares,\u003cbr\u003ethe server will ask the client to retry the ClientHello (by issuing a Hello\u003cbr\u003eRetry Request or HRR) with the most preferred mutually supported group.\u003cbr\u003e\u003cbr\u003eThe above works as expected when the server\u0027s configuration uses the built-in\u003cbr\u003edefault group list, or explicitly defines its own list by directly defining the\u003cbr\u003evarious desired groups and group \u0027tuples\u0027.\u003cbr\u003e\u003cbr\u003eNo OpenSSL FIPS modules are affected by this issue, the code in question lies\u003cbr\u003eoutside the FIPS boundary.\u003cbr\u003e\u003cbr\u003eOpenSSL 3.6 and 3.5 are vulnerable to this issue.\u003cbr\u003e\u003cbr\u003eOpenSSL 3.6 users should upgrade to OpenSSL 3.6.2 once it is released.\u003cbr\u003eOpenSSL 3.5 users should upgrade to OpenSSL 3.5.6 once it is released.\u003cbr\u003e\u003cbr\u003eOpenSSL 3.4, 3.3, 3.0, 1.0.2 and 1.1.1 are not affected by this issue."
            }
          ],
          "value": "Issue summary: An OpenSSL TLS 1.3 server may fail to negotiate the expected\npreferred key exchange group when its key exchange group configuration includes\nthe default by using the \u0027DEFAULT\u0027 keyword.\n\nImpact summary: A less preferred key exchange may be used even when a more\npreferred group is supported by both client and server, if the group\nwas not included among the client\u0027s initial predicated keyshares.\nThis will sometimes be the case with the new hybrid post-quantum groups,\nif the client chooses to defer their use until specifically requested by\nthe server.\n\nIf an OpenSSL TLS 1.3 server\u0027s configuration uses the \u0027DEFAULT\u0027 keyword to\ninterpolate the built-in default group list into its own configuration, perhaps\nadding or removing specific elements, then an implementation defect causes the\n\u0027DEFAULT\u0027 list to lose its \u0027tuple\u0027 structure, and all server-supported groups\nwere treated as a single sufficiently secure \u0027tuple\u0027, with the server not\nsending a Hello Retry Request (HRR) even when a group in a more preferred tuple\nwas mutually supported.\n\nAs a result, the client and server might fail to negotiate a mutually supported\npost-quantum key agreement group, such as \u0027X25519MLKEM768\u0027, if the client\u0027s\nconfiguration results in only \u0027classical\u0027 groups (such as \u0027X25519\u0027 being the\nonly ones in the client\u0027s initial keyshare prediction).\n\nOpenSSL 3.5 and later support a new syntax for selecting the most preferred TLS\n1.3 key agreement group on TLS servers.  The old syntax had a single \u0027flat\u0027\nlist of groups, and treated all the supported groups as sufficiently secure.\nIf any of the keyshares predicted by the client were supported by the server\nthe most preferred among these was selected, even if other groups supported by\nthe client, but not included in the list of predicted keyshares would have been\nmore preferred, if included.\n\nThe new syntax partitions the groups into distinct \u0027tuples\u0027 of roughly\nequivalent security.  Within each tuple the most preferred group included among\nthe client\u0027s predicted keyshares is chosen, but if the client supports a group\nfrom a more preferred tuple, but did not predict any corresponding keyshares,\nthe server will ask the client to retry the ClientHello (by issuing a Hello\nRetry Request or HRR) with the most preferred mutually supported group.\n\nThe above works as expected when the server\u0027s configuration uses the built-in\ndefault group list, or explicitly defines its own list by directly defining the\nvarious desired groups and group \u0027tuples\u0027.\n\nNo OpenSSL FIPS modules are affected by this issue, the code in question lies\noutside the FIPS boundary.\n\nOpenSSL 3.6 and 3.5 are vulnerable to this issue.\n\nOpenSSL 3.6 users should upgrade to OpenSSL 3.6.2 once it is released.\nOpenSSL 3.5 users should upgrade to OpenSSL 3.5.6 once it is released.\n\nOpenSSL 3.4, 3.3, 3.0, 1.0.2 and 1.1.1 are not affected by this issue."
        }
      ],
      "metrics": [
        {
          "format": "other",
          "other": {
            "content": {
              "text": "Low"
            },
            "type": "https://openssl-library.org/policies/general/security-policy/"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-757",
              "description": "CWE-757 Selection of Less-Secure Algorithm During Negotiation (\u0027Algorithm Downgrade\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-13T13:23:00.376Z",
        "orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
        "shortName": "openssl"
      },
      "references": [
        {
          "name": "OpenSSL Advisory",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://openssl-library.org/news/secadv/20260313.txt"
        },
        {
          "name": "3.6.2 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/2157c9d81f7b0bd7dfa25b960e928ec28e8dd63f"
        },
        {
          "name": "3.5.6 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/85977e013f32ceb96aa034c0e741adddc1a05e34"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "OpenSSL TLS 1.3 server may choose unexpected key agreement group",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
    "assignerShortName": "openssl",
    "cveId": "CVE-2026-2673",
    "datePublished": "2026-03-13T13:23:00.376Z",
    "dateReserved": "2026-02-18T09:41:04.155Z",
    "dateUpdated": "2026-05-18T19:23:37.078Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-2673",
      "date": "2026-06-03",
      "epss": "0.00023",
      "percentile": "0.06635"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-2673\",\"sourceIdentifier\":\"openssl-security@openssl.org\",\"published\":\"2026-03-13T19:54:34.033\",\"lastModified\":\"2026-05-18T20:16:37.763\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Issue summary: An OpenSSL TLS 1.3 server may fail to negotiate the expected\\npreferred key exchange group when its key exchange group configuration includes\\nthe default by using the \u0027DEFAULT\u0027 keyword.\\n\\nImpact summary: A less preferred key exchange may be used even when a more\\npreferred group is supported by both client and server, if the group\\nwas not included among the client\u0027s initial predicated keyshares.\\nThis will sometimes be the case with the new hybrid post-quantum groups,\\nif the client chooses to defer their use until specifically requested by\\nthe server.\\n\\nIf an OpenSSL TLS 1.3 server\u0027s configuration uses the \u0027DEFAULT\u0027 keyword to\\ninterpolate the built-in default group list into its own configuration, perhaps\\nadding or removing specific elements, then an implementation defect causes the\\n\u0027DEFAULT\u0027 list to lose its \u0027tuple\u0027 structure, and all server-supported groups\\nwere treated as a single sufficiently secure \u0027tuple\u0027, with the server not\\nsending a Hello Retry Request (HRR) even when a group in a more preferred tuple\\nwas mutually supported.\\n\\nAs a result, the client and server might fail to negotiate a mutually supported\\npost-quantum key agreement group, such as \u0027X25519MLKEM768\u0027, if the client\u0027s\\nconfiguration results in only \u0027classical\u0027 groups (such as \u0027X25519\u0027 being the\\nonly ones in the client\u0027s initial keyshare prediction).\\n\\nOpenSSL 3.5 and later support a new syntax for selecting the most preferred TLS\\n1.3 key agreement group on TLS servers.  The old syntax had a single \u0027flat\u0027\\nlist of groups, and treated all the supported groups as sufficiently secure.\\nIf any of the keyshares predicted by the client were supported by the server\\nthe most preferred among these was selected, even if other groups supported by\\nthe client, but not included in the list of predicted keyshares would have been\\nmore preferred, if included.\\n\\nThe new syntax partitions the groups into distinct \u0027tuples\u0027 of roughly\\nequivalent security.  Within each tuple the most preferred group included among\\nthe client\u0027s predicted keyshares is chosen, but if the client supports a group\\nfrom a more preferred tuple, but did not predict any corresponding keyshares,\\nthe server will ask the client to retry the ClientHello (by issuing a Hello\\nRetry Request or HRR) with the most preferred mutually supported group.\\n\\nThe above works as expected when the server\u0027s configuration uses the built-in\\ndefault group list, or explicitly defines its own list by directly defining the\\nvarious desired groups and group \u0027tuples\u0027.\\n\\nNo OpenSSL FIPS modules are affected by this issue, the code in question lies\\noutside the FIPS boundary.\\n\\nOpenSSL 3.6 and 3.5 are vulnerable to this issue.\\n\\nOpenSSL 3.6 users should upgrade to OpenSSL 3.6.2 once it is released.\\nOpenSSL 3.5 users should upgrade to OpenSSL 3.5.6 once it is released.\\n\\nOpenSSL 3.4, 3.3, 3.0, 1.0.2 and 1.1.1 are not affected by this issue.\"},{\"lang\":\"es\",\"value\":\"Resumen del problema: Un servidor OpenSSL TLS 1.3 puede fallar al negociar el grupo de intercambio de claves preferido esperado cuando su configuraci\u00f3n de grupo de intercambio de claves incluye el predeterminado al usar la palabra clave \u0027DEFAULT\u0027.\\n\\nResumen del impacto: Un intercambio de claves menos preferido puede ser usado incluso cuando un grupo m\u00e1s preferido es soportado tanto por el cliente como por el servidor, si el grupo no fue incluido entre los keyshares iniciales predichos del cliente. Este ser\u00e1 a veces el caso con los nuevos grupos h\u00edbridos post-cu\u00e1nticos, si el cliente elige aplazar su uso hasta que sea solicitado espec\u00edficamente por el servidor.\\n\\nSi la configuraci\u00f3n de un servidor OpenSSL TLS 1.3 usa la palabra clave \u0027DEFAULT\u0027 para interpolar la lista de grupos predeterminada incorporada en su propia configuraci\u00f3n, quiz\u00e1s a\u00f1adiendo o eliminando elementos espec\u00edficos, entonces un defecto de implementaci\u00f3n causa que la lista \u0027DEFAULT\u0027 pierda su estructura de \u0027tupla\u0027, y todos los grupos soportados por el servidor fueron tratados como una \u00fanica \u0027tupla\u0027 suficientemente segura, con el servidor no enviando una Solicitud de Reintento de Hello (HRR) incluso cuando un grupo en una tupla m\u00e1s preferida era mutuamente soportado.\\n\\nComo resultado, el cliente y el servidor podr\u00edan fallar al negociar un grupo de acuerdo de clave post-cu\u00e1ntico mutuamente soportado, como \u0027X25519MLKEM768\u0027, si la configuraci\u00f3n del cliente resulta en solo grupos \u0027cl\u00e1sicos\u0027 (como \u0027X25519\u0027 siendo los \u00fanicos en la predicci\u00f3n inicial de keyshare del cliente).\\n\\nOpenSSL 3.5 y posteriores soportan una nueva sintaxis para seleccionar el grupo de acuerdo de clave TLS 1.3 m\u00e1s preferido en servidores TLS. La sintaxis antigua ten\u00eda una \u00fanica lista \u0027plana\u0027 de grupos, y trataba todos los grupos soportados como suficientemente seguros. Si alguno de los keyshares predichos por el cliente era soportado por el servidor, el m\u00e1s preferido entre estos era seleccionado, incluso si otros grupos soportados por el cliente, pero no incluidos en la lista de keyshares predichos, habr\u00edan sido m\u00e1s preferidos, si se hubieran incluido.\\n\\nLa nueva sintaxis particiona los grupos en \u0027tuplas\u0027 distintas de seguridad aproximadamente equivalente. Dentro de cada tupla se elige el grupo m\u00e1s preferido incluido entre los keyshares predichos del cliente, pero si el cliente soporta un grupo de una tupla m\u00e1s preferida, pero no predijo ning\u00fan keyshare correspondiente, el servidor pedir\u00e1 al cliente que reintente el ClientHello (emitiendo una Solicitud de Reintento de Hello o HRR) con el grupo mutuamente soportado m\u00e1s preferido.\\n\\nLo anterior funciona como se espera cuando la configuraci\u00f3n del servidor usa la lista de grupos predeterminada incorporada, o define expl\u00edcitamente su propia lista definiendo directamente los diversos grupos y \u0027tuplas\u0027 de grupo deseados.\\n\\nNing\u00fan m\u00f3dulo FIPS de OpenSSL est\u00e1 afectado por este problema, el c\u00f3digo en cuesti\u00f3n se encuentra fuera del l\u00edmite FIPS.\\n\\nOpenSSL 3.6 y 3.5 son vulnerables a este problema.\\n\\nLos usuarios de OpenSSL 3.6 deber\u00edan actualizar a OpenSSL 3.6.2 una vez que sea lanzado.\\nLos usuarios de OpenSSL 3.5 deber\u00edan actualizar a OpenSSL 3.5.6 una vez que sea lanzado.\\n\\nOpenSSL 3.4, 3.3, 3.0, 1.0.2 y 1.1.1 no est\u00e1n afectados por este problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"openssl-security@openssl.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-757\"}]}],\"references\":[{\"url\":\"https://github.com/openssl/openssl/commit/2157c9d81f7b0bd7dfa25b960e928ec28e8dd63f\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://github.com/openssl/openssl/commit/85977e013f32ceb96aa034c0e741adddc1a05e34\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://openssl-library.org/news/secadv/20260313.txt\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2026/03/13/3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://cert-portal.siemens.com/productcert/html/ssa-032379.html\",\"source\":\"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2026/03/13/3\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2026-03-13T15:15:21.059Z\"}}, {\"affected\": [{\"vendor\": \"Siemens\", \"product\": \"SIMATIC CN 4100\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"V5.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"x_adpType\": \"supplier\", \"references\": [{\"url\": \"https://cert-portal.siemens.com/productcert/html/ssa-032379.html\"}], \"providerMetadata\": {\"orgId\": \"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e\", \"shortName\": \"siemens-SADP\", \"dateUpdated\": \"2026-05-12T12:08:46.771Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-2673\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-17T17:17:17.444679Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-17T17:17:37.715Z\"}}], \"cna\": {\"title\": \"OpenSSL TLS 1.3 server may choose unexpected key agreement group\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Viktor Dukhovni\"}, {\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"Viktor Dukhovni\"}], \"metrics\": [{\"other\": {\"type\": \"https://openssl-library.org/policies/general/security-policy/\", \"content\": {\"text\": \"Low\"}}, \"format\": \"other\"}], \"affected\": [{\"vendor\": \"OpenSSL\", \"product\": \"OpenSSL\", \"versions\": [{\"status\": \"affected\", \"version\": \"3.6.0\", \"lessThan\": \"3.6.2\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"3.5.0\", \"lessThan\": \"3.5.6\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2026-03-13T14:00:00.000Z\", \"references\": [{\"url\": \"https://openssl-library.org/news/secadv/20260313.txt\", \"name\": \"OpenSSL Advisory\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://github.com/openssl/openssl/commit/2157c9d81f7b0bd7dfa25b960e928ec28e8dd63f\", \"name\": \"3.6.2 git commit\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/openssl/openssl/commit/85977e013f32ceb96aa034c0e741adddc1a05e34\", \"name\": \"3.5.6 git commit\", \"tags\": [\"patch\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Issue summary: An OpenSSL TLS 1.3 server may fail to negotiate the expected\\npreferred key exchange group when its key exchange group configuration includes\\nthe default by using the \u0027DEFAULT\u0027 keyword.\\n\\nImpact summary: A less preferred key exchange may be used even when a more\\npreferred group is supported by both client and server, if the group\\nwas not included among the client\u0027s initial predicated keyshares.\\nThis will sometimes be the case with the new hybrid post-quantum groups,\\nif the client chooses to defer their use until specifically requested by\\nthe server.\\n\\nIf an OpenSSL TLS 1.3 server\u0027s configuration uses the \u0027DEFAULT\u0027 keyword to\\ninterpolate the built-in default group list into its own configuration, perhaps\\nadding or removing specific elements, then an implementation defect causes the\\n\u0027DEFAULT\u0027 list to lose its \u0027tuple\u0027 structure, and all server-supported groups\\nwere treated as a single sufficiently secure \u0027tuple\u0027, with the server not\\nsending a Hello Retry Request (HRR) even when a group in a more preferred tuple\\nwas mutually supported.\\n\\nAs a result, the client and server might fail to negotiate a mutually supported\\npost-quantum key agreement group, such as \u0027X25519MLKEM768\u0027, if the client\u0027s\\nconfiguration results in only \u0027classical\u0027 groups (such as \u0027X25519\u0027 being the\\nonly ones in the client\u0027s initial keyshare prediction).\\n\\nOpenSSL 3.5 and later support a new syntax for selecting the most preferred TLS\\n1.3 key agreement group on TLS servers.  The old syntax had a single \u0027flat\u0027\\nlist of groups, and treated all the supported groups as sufficiently secure.\\nIf any of the keyshares predicted by the client were supported by the server\\nthe most preferred among these was selected, even if other groups supported by\\nthe client, but not included in the list of predicted keyshares would have been\\nmore preferred, if included.\\n\\nThe new syntax partitions the groups into distinct \u0027tuples\u0027 of roughly\\nequivalent security.  Within each tuple the most preferred group included among\\nthe client\u0027s predicted keyshares is chosen, but if the client supports a group\\nfrom a more preferred tuple, but did not predict any corresponding keyshares,\\nthe server will ask the client to retry the ClientHello (by issuing a Hello\\nRetry Request or HRR) with the most preferred mutually supported group.\\n\\nThe above works as expected when the server\u0027s configuration uses the built-in\\ndefault group list, or explicitly defines its own list by directly defining the\\nvarious desired groups and group \u0027tuples\u0027.\\n\\nNo OpenSSL FIPS modules are affected by this issue, the code in question lies\\noutside the FIPS boundary.\\n\\nOpenSSL 3.6 and 3.5 are vulnerable to this issue.\\n\\nOpenSSL 3.6 users should upgrade to OpenSSL 3.6.2 once it is released.\\nOpenSSL 3.5 users should upgrade to OpenSSL 3.5.6 once it is released.\\n\\nOpenSSL 3.4, 3.3, 3.0, 1.0.2 and 1.1.1 are not affected by this issue.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Issue summary: An OpenSSL TLS 1.3 server may fail to negotiate the expected\u003cbr\u003epreferred key exchange group when its key exchange group configuration includes\u003cbr\u003ethe default by using the \u0027DEFAULT\u0027 keyword.\u003cbr\u003e\u003cbr\u003eImpact summary: A less preferred key exchange may be used even when a more\u003cbr\u003epreferred group is supported by both client and server, if the group\u003cbr\u003ewas not included among the client\u0027s initial predicated keyshares.\u003cbr\u003eThis will sometimes be the case with the new hybrid post-quantum groups,\u003cbr\u003eif the client chooses to defer their use until specifically requested by\u003cbr\u003ethe server.\u003cbr\u003e\u003cbr\u003eIf an OpenSSL TLS 1.3 server\u0027s configuration uses the \u0027DEFAULT\u0027 keyword to\u003cbr\u003einterpolate the built-in default group list into its own configuration, perhaps\u003cbr\u003eadding or removing specific elements, then an implementation defect causes the\u003cbr\u003e\u0027DEFAULT\u0027 list to lose its \u0027tuple\u0027 structure, and all server-supported groups\u003cbr\u003ewere treated as a single sufficiently secure \u0027tuple\u0027, with the server not\u003cbr\u003esending a Hello Retry Request (HRR) even when a group in a more preferred tuple\u003cbr\u003ewas mutually supported.\u003cbr\u003e\u003cbr\u003eAs a result, the client and server might fail to negotiate a mutually supported\u003cbr\u003epost-quantum key agreement group, such as \u0027X25519MLKEM768\u0027, if the client\u0027s\u003cbr\u003econfiguration results in only \u0027classical\u0027 groups (such as \u0027X25519\u0027 being the\u003cbr\u003eonly ones in the client\u0027s initial keyshare prediction).\u003cbr\u003e\u003cbr\u003eOpenSSL 3.5 and later support a new syntax for selecting the most preferred TLS\u003cbr\u003e1.3 key agreement group on TLS servers.  The old syntax had a single \u0027flat\u0027\u003cbr\u003elist of groups, and treated all the supported groups as sufficiently secure.\u003cbr\u003eIf any of the keyshares predicted by the client were supported by the server\u003cbr\u003ethe most preferred among these was selected, even if other groups supported by\u003cbr\u003ethe client, but not included in the list of predicted keyshares would have been\u003cbr\u003emore preferred, if included.\u003cbr\u003e\u003cbr\u003eThe new syntax partitions the groups into distinct \u0027tuples\u0027 of roughly\u003cbr\u003eequivalent security.  Within each tuple the most preferred group included among\u003cbr\u003ethe client\u0027s predicted keyshares is chosen, but if the client supports a group\u003cbr\u003efrom a more preferred tuple, but did not predict any corresponding keyshares,\u003cbr\u003ethe server will ask the client to retry the ClientHello (by issuing a Hello\u003cbr\u003eRetry Request or HRR) with the most preferred mutually supported group.\u003cbr\u003e\u003cbr\u003eThe above works as expected when the server\u0027s configuration uses the built-in\u003cbr\u003edefault group list, or explicitly defines its own list by directly defining the\u003cbr\u003evarious desired groups and group \u0027tuples\u0027.\u003cbr\u003e\u003cbr\u003eNo OpenSSL FIPS modules are affected by this issue, the code in question lies\u003cbr\u003eoutside the FIPS boundary.\u003cbr\u003e\u003cbr\u003eOpenSSL 3.6 and 3.5 are vulnerable to this issue.\u003cbr\u003e\u003cbr\u003eOpenSSL 3.6 users should upgrade to OpenSSL 3.6.2 once it is released.\u003cbr\u003eOpenSSL 3.5 users should upgrade to OpenSSL 3.5.6 once it is released.\u003cbr\u003e\u003cbr\u003eOpenSSL 3.4, 3.3, 3.0, 1.0.2 and 1.1.1 are not affected by this issue.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-757\", \"description\": \"CWE-757 Selection of Less-Secure Algorithm During Negotiation (\u0027Algorithm Downgrade\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"3a12439a-ef3a-4c79-92e6-6081a721f1e5\", \"shortName\": \"openssl\", \"dateUpdated\": \"2026-03-13T13:23:00.376Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-2673\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-18T19:23:37.078Z\", \"dateReserved\": \"2026-02-18T09:41:04.155Z\", \"assignerOrgId\": \"3a12439a-ef3a-4c79-92e6-6081a721f1e5\", \"datePublished\": \"2026-03-13T13:23:00.376Z\", \"assignerShortName\": \"openssl\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.