CVE-2026-2673

Name of the Vulnerable Software and Affected Versions OpenSSL versions 3.5 and 3.6 OpenSSL versions prior to 3.4 OpenSSL versions prior to 3.3 OpenSSL versions prior to 3.0 OpenSSL versions prior to 1.0.2 OpenSSL versions prior to 1.1.1

Description An issue exists in OpenSSL TLS 1.3 servers where the server may fail to negotiate the expected preferred key exchange group when its key exchange group configuration includes the default by using the 'DEFAULT' keyword. This can result in a less preferred key exchange being used, even when a more secure group is supported by both the client and server, if the preferred group was not included in the client's initial keyshare predictions. This is particularly relevant with new hybrid post-quantum groups, where the client might defer their use until specifically requested by the server. The root cause is an implementation defect that causes the 'DEFAULT' list to lose its 'tuple' structure, treating all server-supported groups as a single sufficiently secure tuple, and preventing the server from sending a Hello Retry Request (HRR) when a more preferred group is mutually supported. The issue does not affect OpenSSL FIPS modules.

Recommendations OpenSSL version 3.6 users should upgrade to OpenSSL 3.6.2 once it is released. OpenSSL version 3.5 users should upgrade to OpenSSL 3.5.6 once it is released. OpenSSL versions prior to 3.4 should be upgraded. OpenSSL versions prior to 3.3 should be upgraded. OpenSSL versions prior to 3.0 should be upgraded. OpenSSL versions prior to 1.0.2 should be upgraded. OpenSSL versions prior to 1.1.1 should be upgraded.