CVE-2026-22791

Published: Jan 13, 2026Modified: Feb 3, 2026

6.1

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Exploitability: 1.8 / Impact: 4.2

Source: NVD

Description

openCryptoki is a PKCS#11 library and tools for Linux and AIX. In 3.25.0 and 3.26.0, there is a heap buffer overflow vulnerability in the CKM_ECDH_AES_KEY_WRAP implementation allows an attacker with local access to cause out-of-bounds writes in the host process by supplying a compressed EC public key and invoking C_WrapKey. This can lead to heap corruption, or denial-of-service.

Affected (2)

Products: Opencryptoki Project: Opencryptoki

Opencryptoki Project

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Opencryptoki Project Opencryptoki	Version 3.25.0
Opencryptoki Project Opencryptoki	Version 3.26.0

Related CWEs

Incorrect Calculation of Buffer Size

The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.

References (3)

https://github.com/opencryptoki/opencryptoki/commit/785d7577e1477d12fbe235554e7e7b24f2de34b7

Source: security-advisories@github.com

Patch

https://github.com/opencryptoki/opencryptoki/commit/e37e9127deeeb7bf3c3c4d852c594256c57ec3a8

Source: security-advisories@github.com

Patch

https://github.com/opencryptoki/opencryptoki/security/advisories/GHSA-26f5-3mwq-4wm7

Source: security-advisories@github.com

ExploitPatchVendor Advisory

Timeline

No history available yet.