JLSEC-2026-214

Source
https://github.com/JuliaLang/SecurityAdvisories.jl/blob/main/advisories/published/2026/JLSEC-2026-214.md
Import Source
https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-214.json
JSON Data
https://api.test.osv.dev/v1/vulns/JLSEC-2026-214
Upstream
  • EUVD-2019-10104
  • GHSA-q2qv-648h-wcqp
Published
2026-04-27T18:33:55.942Z
Modified
2026-04-27T19:32:24.579888556Z
Summary
Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel...
Details

Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).

Database specific
{
    "license": "CC-BY-4.0",
    "sources": [
        {
            "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2019-1547",
            "html_url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1547",
            "database_specific": {
                "status": "Modified"
            },
            "modified": "2024-11-21T04:36:48.160Z",
            "id": "CVE-2019-1547",
            "imported": "2026-04-27T16:32:26.104Z",
            "published": "2019-09-10T17:15:11.750Z"
        },
        {
            "url": "https://api.github.com/advisories/GHSA-q2qv-648h-wcqp",
            "html_url": "https://github.com/advisories/GHSA-q2qv-648h-wcqp",
            "id": "GHSA-q2qv-648h-wcqp",
            "modified": "2024-06-21T21:33:48Z",
            "imported": "2026-04-27T16:35:26.172Z",
            "published": "2022-05-24T16:55:52Z"
        },
        {
            "url": "https://euvdservices.enisa.europa.eu/api/enisaid?id=EUVD-2019-10104",
            "id": "EUVD-2019-10104",
            "html_url": "https://euvd.enisa.europa.eu/vulnerability/EUVD-2019-10104",
            "modified": "2024-09-16T16:33:05Z",
            "imported": "2026-04-27T16:33:27.169Z",
            "published": "2019-09-10T16:58:35Z"
        }
    ]
}
References

Affected packages

Julia / OpenSSL_jll

Package

Name
OpenSSL_jll
Purl
pkg:julia/OpenSSL_jll?uuid=458c3c95-2e84-50aa-8efc-19380b2a3a95

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.1.1+2

Database specific

source
"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-214.json"