CVE-2026-22791

Published: Jan 13, 2026

Modified: Jan 13, 2026

PUBLISHED

CVSS v3.1

6.6

MEDIUM

Description

openCryptoki is a PKCS#11 library and tools for Linux and AIX. In 3.25.0 and 3.26.0, there is a heap buffer overflow vulnerability in the CKM_ECDH_AES_KEY_WRAP implementation allows an attacker with local access to cause out-of-bounds writes in the host process by supplying a compressed EC public key and invoking C_WrapKey. This can lead to heap corruption, or denial-of-service.

Vendor	Product	Versions
opencryptoki	opencryptoki	affected `>= 3.25.0, <= 3.26.0`

Weaknesses (CWE)

CWE-131

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

High

References

https://github.com/opencryptoki/opencryptoki/security/advisories/GHSA-26f5-3mwq-4wm7

x_refsource_CONFIRM

https://github.com/opencryptoki/opencryptoki/commit/785d7577e1477d12fbe235554e7e7b24f2de34b7

x_refsource_MISC

https://github.com/opencryptoki/opencryptoki/commit/e37e9127deeeb7bf3c3c4d852c594256c57ec3a8

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-22791

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References