Description
Crypt::DSA versions before 1.22 for Perl draw the DSA signing nonce and private key from a biased random generator, leading to private-key recovery.

"Crypt::DSA::Util::makerandom forces the high bit of every value it returns to obtain an exactly N-bit integer for prime search. The signing nonce and the private key are drawn from makerandom. Because the high bit is always set, the result is not uniform: its top bit is fixed, producing insecure values."

An attacker who collects a modest number of signatures under an affected key, together with the public key, can recover the private key with a lattice attack.

Keys used to sign with an affected version should be considered compromised and new keys should be generated.
Published: 2026-07-05
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Crypt::DSA versions before 1.22 originates from a biased random number generator used to produce the DSA signing nonce and private key. The implementation forces the high bit on each generated value, creating a non‑uniform distribution that can be exploited using a lattice-based attack. An attacker who gathers a modest number of signatures signed with an affected key, together with the public key, can recover the private key, thereby compromising the integrity and authenticity guarantees of all signatures generated with that key.

Affected Systems

The affected product is TIMLEGGE Crypt::DSA for Perl, specifically all releases prior to 1.22. While the module was deprecated in version 1.20, any version before 1.22 remains vulnerable and should be avoided or updated.

Risk and Exploitability

Because the flaw permits private key recovery from collected signatures, the risk is high when the affected key is used in production or signatures are publicly observable. Exploitation requires the attacker to obtain a set of signatures and the corresponding public key, which is realistic for users signing logs or communications. The EPSS score of less than 1% indicates a low overall likelihood of exploitation, and the vulnerability is not listed in CISA KEV; however, the cryptographic weakness remains a serious threat when the key is in use.

Generated by OpenCVE AI on July 6, 2026 at 17:50 UTC.

Remediation

Vendor Solution

Upgrade to version 1.22 or later, which draws the nonce and private key uniformly via rejection sampling (Crypt::DSA::Util::randombelow) with no forced high bit. Revoke and regenerate any keys used to sign with an affected version. Crypt::DSA was deprecated in version 1.20. You should migrate to another solution.


OpenCVE Recommended Actions

  • Upgrade to Crypt::DSA version 1.22 or later, which restores uniform random generation of nonces and keys.
  • Revoke and regenerate any private affected version of Crypt::DSA.
  • Migrate to an alternative DSA implementation that is actively maintained, such as Crypt::OpenSSL::DSA, to avoid future cryptographic regressions.

Generated by OpenCVE AI on July 6, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-338
References
Metrics threat_severity

None

threat_severity

Important


Mon, 06 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 05 Jul 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Timlegge
Timlegge crypt::dsa
Vendors & Products Timlegge
Timlegge crypt::dsa

Sun, 05 Jul 2026 02:00:00 +0000

Type Values Removed Values Added
Description Crypt::DSA versions before 1.22 for Perl draw the DSA signing nonce and private key from a biased random generator, leading to private-key recovery. "Crypt::DSA::Util::makerandom forces the high bit of every value it returns to obtain an exactly N-bit integer for prime search. The signing nonce and the private key are drawn from makerandom. Because the high bit is always set, the result is not uniform: its top bit is fixed, producing insecure values." An attacker who collects a modest number of signatures under an affected key, together with the public key, can recover the private key with a lattice attack. Keys used to sign with an affected version should be considered compromised and new keys should be generated.
Title Crypt::DSA versions before 1.22 for Perl draw the DSA signing nonce and private key from a biased random generator, leading to private-key recovery
Weaknesses CWE-330
References

Subscriptions

Timlegge Crypt::dsa
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-07-06T13:42:11.715Z

Reserved: 2026-07-03T10:37:19.787Z

Link: CVE-2026-14570

cve-icon Vulnrichment

Updated: 2026-07-05T05:19:58.316Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-07-05T01:30:12Z

Links: CVE-2026-14570 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T18:00:05Z

Weaknesses
  • CWE-330

    Use of Insufficiently Random Values

  • CWE-338

    Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)