CVE-2026-2673 Details
Issue summary: An OpenSSL TLS 1.3 server may fail to negotiate the expected
preferred key exchange group when its key exchange group configuration includes
the default by using the 'DEFAULT' keyword.

Impact summary: A less preferred key exchange may be used even when a more
preferred group is supported by both client and server, if the group
was not included among the client's initial predicated keyshares.
This will sometimes be the case with the new hybrid post-quantum groups,
if the client chooses to defer their use until specifically requested by
the server.

If an OpenSSL TLS 1.3 server's configuration uses the 'DEFAULT' keyword to
interpolate the built-in default group list into its own configuration, perhaps
adding or removing specific elements, then an implementation defect causes the
'DEFAULT' list to lose its 'tuple' structure, and all server-supported groups
were treated as a single sufficiently secure 'tuple', with the server not
sending a Hello Retry Request (HRR) even when a group in a more preferred tuple
was mutually supported.

As a result, the client and server might fail to negotiate a mutually supported
post-quantum key agreement group, such as 'X25519MLKEM768', if the client's
configuration results in only 'classical' groups (such as 'X25519' being the
only ones in the client's initial keyshare prediction).

OpenSSL 3.5 and later support a new syntax for selecting the most preferred TLS
1.3 key agreement group on TLS servers. The old syntax had a single 'flat'
list of groups, and treated all the supported groups as sufficiently secure.
If any of the keyshares predicted by the client were supported by the server
the most preferred among these was selected, even if other groups supported by
the client, but not included in the list of predicted keyshares would have been
more preferred, if included.

The new syntax partitions the groups into distinct 'tuples' of roughly
equivalent security. Within each tuple the most preferred group included among
the client's predicted keyshares is chosen, but if the client supports a group
from a more preferred tuple, but did not predict any corresponding keyshares,
the server will ask the client to retry the ClientHello (by issuing a Hello
Retry Request or HRR) with the most preferred mutually supported group.

The above works as expected when the server's configuration uses the built-in
default group list, or explicitly defines its own list by directly defining the
various desired groups and group 'tuples'.

No OpenSSL FIPS modules are affected by this issue, the code in question lies
outside the FIPS boundary.

OpenSSL 3.6 and 3.5 are vulnerable to this issue.

OpenSSL 3.6 users should upgrade to OpenSSL 3.6.2 once it is released.
OpenSSL 3.5 users should upgrade to OpenSSL 3.5.6 once it is released.

OpenSSL 3.4, 3.3, 3.0, 1.0.2 and 1.1.1 are not affected by this issue.
View at NVD
Exploit prediction scoring system (EPSS) score for CVE-2026-2673
EPSS (Exploit Prediction Scoring System): EPSS predicts the likelihood that a vulnerability will be exploited in the wild. A higher percentage means a greater chance of an exploit occurring. The EPSS model produces a probability score between 0 and 1 (0 and 100%).
0.43 Probability of exploitation activity being observed over the next 30 days (35th percentile)
CVSS score for CVE-2026-2673
CVSS (Common Vulnerability Scoring System): An open framework owned and managed by FIRST.Org, Inc. that assigns a numerical score from 0 to 10 to software vulnerabilities to indicate their severity.
6.5 Medium
Products affected by CVE-2026-2673

CVE-2026-2673 Global Footprint

Top 10 Identified Countries

Country Observations Percentage
US 19,847 34.53%
JP 5,410 9.41%
DE 4,886 8.50%
GB 2,845 4.95%
IE 2,092 3.64%
IN 1,971 3.43%
FR 1,739 3.03%
CA 1,653 2.88%
NL 1,413 2.46%
KR 1,097 1.91%

Is CVE-2026-2673 part of your extended attack surface? Bitsight helps security leaders rapidly identify exposure and detect threats in order to prioritize, communicate, and mitigate risk.

View interactive product tours

CVE-2026-2673 Industry Footprint

Top 10 Identified Industries

*Service provider organizations (typically Technology and Telecommunications) are disproportionally represented in the results given their upstream ownership of end-user infrastructure. See our FAQs.

Industry* Observations Percentage
Technology 35,675 78.69%
Telecommunications 4,692 10.35%
Education 3,025 6.67%
Government/Politics 594 1.31%
Business Services 210 0.46%
Manufacturing 153 0.34%
Finance 141 0.31%
Healthcare/Wellness 133 0.29%
Utilities 102 0.22%
Transportation 80 0.18%

Bitsight, the leading provider in Cyber Risk Management, introduced the next-generation internet scanner Bitsight Groma in May 2024. This technology continuously scans the entire internet to discover assets, collect asset attribution evidence, and identify an ever-growing set of security observations, such as vulnerabilities and misconfigurations. Groma’s scanning activities presently encompass:


  • 40 million-plus monitored organizations
  • 250 million-plus host names
  • 4 billion-plus routable IPv4 and IPv6 addresses

Greynoise’s recent study testifies the speed of Bitsight Groma.

Bitsight data discovery
Governance charcoal background

Bitsight TRACE team investigates security incidents and identifies vulnerabilities and threats.

View latest security research 

See what you’re up against across the expanding attack surface. Prioritize what matters most. And mitigate where you’re most vulnerable.

External Attack Surface Management