Description
Crypt::DSA versions before 1.22 for Perl draw the DSA signing nonce and private key from a biased random generator, leading to private-key recovery.

"Crypt::DSA::Util::makerandom forces the high bit of every value it returns to obtain an exactly N-bit integer for prime search. The signing nonce and the private key are drawn from makerandom. Because the high bit is always set, the result is not uniform: its top bit is fixed, producing insecure values."

An attacker who collects a modest number of signatures under an affected key, together with the public key, can recover the private key with a lattice attack.

Keys used to sign with an affected version should be considered compromised and new keys should be generated.
Published: 2026-07-05
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

Vendor Solution

Upgrade to version 1.22 or later, which draws the nonce and private key uniformly via rejection sampling (Crypt::DSA::Util::randombelow) with no forced high bit. Revoke and regenerate any keys used to sign with an affected version. Crypt::DSA was deprecated in version 1.20. You should migrate to another solution.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 05 Jul 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Timlegge
Timlegge crypt::dsa
Vendors & Products Timlegge
Timlegge crypt::dsa

Sun, 05 Jul 2026 02:00:00 +0000

Type Values Removed Values Added
Description Crypt::DSA versions before 1.22 for Perl draw the DSA signing nonce and private key from a biased random generator, leading to private-key recovery. "Crypt::DSA::Util::makerandom forces the high bit of every value it returns to obtain an exactly N-bit integer for prime search. The signing nonce and the private key are drawn from makerandom. Because the high bit is always set, the result is not uniform: its top bit is fixed, producing insecure values." An attacker who collects a modest number of signatures under an affected key, together with the public key, can recover the private key with a lattice attack. Keys used to sign with an affected version should be considered compromised and new keys should be generated.
Title Crypt::DSA versions before 1.22 for Perl draw the DSA signing nonce and private key from a biased random generator, leading to private-key recovery
Weaknesses CWE-330
References

Subscriptions

Timlegge Crypt::dsa
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-07-05T01:30:12.849Z

Reserved: 2026-07-03T10:37:19.787Z

Link: CVE-2026-14570

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-05T03:30:05Z

Weaknesses