CVE-2021-40529
5.9 MEDIUMThe ElGamal implementation in Botan through 2.18.1, as used in Thunderbird and other products, allows plaintext recovery because, during ...
Published: 2021-09-06 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 5.9 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
- CWE
- CWE-327
Affected products
| Vendor | Product |
|---|---|
| botan_project | botan, fedora, thunderbird |
| fedoraproject | botan, fedora, thunderbird |
| mozilla | botan, fedora, thunderbird |
Description
The ElGamal implementation in Botan through 2.18.1, as used in Thunderbird and other products, allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-40529
- [Other]https://eprint.iacr.org/2021/923
- [Patch]https://github.com/randombit/botan/pull/2790
- [Other]https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1
- [Exploit reference]https://ibm.github.io/system-security-research-updates/2021/09/06/insecurity-elgamal-pt2
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/72NB4OLD3VHJC3YF3PEP2HKF6BYURPAO/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UPHGYWNJQKWLTUWBNSFB4F66MQDIL3IB/
- [Other]https://security.gentoo.org/glsa/202208-14
- [Other]https://eprint.iacr.org/2021/923
- [Patch]https://github.com/randombit/botan/pull/2790
- [Other]https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1
- [Exploit reference]https://ibm.github.io/system-security-research-updates/2021/09/06/insecurity-elgamal-pt2
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/72NB4OLD3VHJC3YF3PEP2HKF6BYURPAO/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UPHGYWNJQKWLTUWBNSFB4F66MQDIL3IB/
- [Other]https://security.gentoo.org/glsa/202208-14
Related CVEs
Same vendor
- CVE-2026-12330 — Incorrect boundary conditions in the Internationalization component (5.4 MEDIUM)
- CVE-2026-12329 — Memory safety bug fixed in Thunderbird ESR 140.12 (5.3 MEDIUM)
- CVE-2026-12328 — Memory safety bugs present in Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151 (8.1 HIGH)
- CVE-2026-12323 — Spoofing issue in the DOM: Core & HTML component (5.4 MEDIUM)
- CVE-2026-12322 — Clickjacking issue in the Widget: Gtk component (5.4 MEDIUM)
Same CWE
- CVE-2026-9261 — Use of weak SSH cryptographic algorithms in Canon EOS Network Setting Tool Version 1.5.0 or earlier (6.8 MEDIUM)
- CVE-2026-50086 — The Aqara IAM/SSO gateway (gw-builder.aqara.com) exposes bidirectional AES round-trups against the platform's signing key without authent... (10.0 CRITICAL)
- CVE-2026-40996 — Wss4jSecurityInterceptor defaulted allowRSA15KeyTransportAlgorithm to true, overriding Apache WSS4J's safer default for validation Reques... (4.8 MEDIUM)
- CVE-2025-10237 — During an internal security assessment, a potential vulnerability was discovered in some ThinkPad embedded controller firmware that could... (6.7 MEDIUM)
- CVE-2026-11481 — A vulnerability was determined in yoanbernabeu grepai up to 0.35.0 (2.5 LOW)