Heap Buffer Overflow Vulnerability in openCryptoki PKCS#11 Library for Linux and AIX
CVE-2026-22791

6.6MEDIUM

Key Information:

Vendor

Opencryptoki

Status
Opencryptoki
Vendor
CVE Published:
13 January 2026

What is CVE-2026-22791?

The openCryptoki PKCS#11 library versions 3.25.0 and 3.26.0, designed for Linux and AIX, are susceptible to a heap buffer overflow vulnerability in the CKM_ECDH_AES_KEY_WRAP implementation. This flaw can be exploited by an attacker with local access who can supply a malformed EC public key, leading to out-of-bounds writes within the host process. Such exploitation may result in heap corruption or denial of service, posing significant risks to system stability and security.

Affected Version(s)

opencryptoki >= 3.25.0, <= 3.26.0

References

https://github.com/opencryptoki/opencryptoki/security/adv...
x_refsource_CONFIRM
https://github.com/opencryptoki/opencryptoki/commit/785d7...
x_refsource_MISC
https://github.com/opencryptoki/opencryptoki/commit/e37e9...
x_refsource_MISC

CVSS V3.1

Score:
6.6
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.