Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') Affecting openssl package, versions [0,]
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CONAN-OPENSSL-15520214
- published13 Mar 2026
- disclosed13 Mar 2026
- creditViktor Dukhovni
Introduced: 13 Mar 2026
NewCVE-2026-2673 (opens in a new tab)How to fix?
There is no fixed version for openssl.
Overview
Affected versions of this package are vulnerable to Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') in the TLS 1.3 server key agreement group selection when the server configuration includes the 'DEFAULT' keyword. An attacker can influence the negotiation to use a less preferred key agreement group by manipulating the client's initial keyshare predictions, potentially resulting in the use of weaker or unintended cryptographic groups.
Note:
No OpenSSL FIPS modules are affected by this issue, the code in question lies outside the FIPS boundary.
Vendors statement: "Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next release of 3.6 and 3.5 branches, once it becomes available. The fix is also available in commit 2157c9d8 (for 3.6) and commit 85977e01 (for 3.5) in the OpenSSL git repository".