Vulnerability Description
openCryptoki is a PKCS#11 library and tools for Linux and AIX. In 3.25.0 and 3.26.0, there is a heap buffer overflow vulnerability in the CKM_ECDH_AES_KEY_WRAP implementation allows an attacker with local access to cause out-of-bounds writes in the host process by supplying a compressed EC public key and invoking C_WrapKey. This can lead to heap corruption, or denial-of-service.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Opencryptoki Project | Opencryptoki | 3.25.0 |
Related Weaknesses (CWE)
References
- https://github.com/opencryptoki/opencryptoki/commit/785d7577e1477d12fbe235554e7ePatch
- https://github.com/opencryptoki/opencryptoki/commit/e37e9127deeeb7bf3c3c4d852c59Patch
- https://github.com/opencryptoki/opencryptoki/security/advisories/GHSA-26f5-3mwq-ExploitPatchVendor Advisory
FAQ
What is CVE-2026-22791?
CVE-2026-22791 is a vulnerability with a CVSS score of 6.6 (MEDIUM). openCryptoki is a PKCS#11 library and tools for Linux and AIX. In 3.25.0 and 3.26.0, there is a heap buffer overflow vulnerability in the CKM_ECDH_AES_KEY_WRAP implementation allows an attacker with l...
How severe is CVE-2026-22791?
CVE-2026-22791 has been rated MEDIUM with a CVSS base score of 6.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-22791?
Check the references section above for vendor advisories and patch information. Affected products include: Opencryptoki Project Opencryptoki.