Opencryptoki Project Opencryptoki vulnerabilities

CVE-2026-23893 [MEDIUM] CWE-59 CVE-2026-23893: openCryptoki is a PKCS#11 library and provides tooling for Linux and AIX. Versions 2.3.2 and above a openCryptoki is a PKCS#11 library and provides tooling for Linux and AIX. Versions 2.3.2 and above are vulnerable to symlink-following when running in privileged contexts. A token-group user can redirect file operations to arbitrary filesystem targets by planting symlinks in group-writable token directories, resulting in privilege escalation or data

CVE-2026-22791 [MEDIUM] CWE-131 CVE-2026-22791: openCryptoki is a PKCS#11 library and tools for Linux and AIX. In 3.25.0 and 3.26.0, there is a heap openCryptoki is a PKCS#11 library and tools for Linux and AIX. In 3.25.0 and 3.26.0, there is a heap buffer overflow vulnerability in the CKM_ECDH_AES_KEY_WRAP implementation allows an attacker with local access to cause out-of-bounds writes in the host process by supplying a compressed EC public key and invoking C_WrapKey. This can lead to heap cor

CVE-2024-0914 [MEDIUM] CWE-203 CVE-2024-0914: A timing side-channel vulnerability has been discovered in the opencryptoki package while processing A timing side-channel vulnerability has been discovered in the opencryptoki package while processing RSA PKCS#1 v1.5 padded ciphertexts. This flaw could potentially enable unauthorized RSA ciphertext decryption or signing, even without access to the corresponding private key.

CVE-2021-3798 [MEDIUM] CWE-200 CVE-2021-3798: A flaw was found in openCryptoki. The openCryptoki Soft token does not check if an EC key is valid w A flaw was found in openCryptoki. The openCryptoki Soft token does not check if an EC key is valid when an EC key is created via C_CreateObject, nor when C_DeriveKey is used with ECDH public data. This may allow a malicious user to extract the private key by performing an invalid curve attack.

CVE-2012-4455 [MEDIUM] CWE-59 CVE-2012-4455: openCryptoki 2.4.1 allows local users to create or set world-writable permissions on arbitrary files openCryptoki 2.4.1 allows local users to create or set world-writable permissions on arbitrary files via a symlink attack on the (1) LCK..opencryptoki or (2) LCK..opencryptoki_stdll file in /var/lock/.

CVE-2012-4454 [LOW] CWE-264 CVE-2012-4454: openCryptoki before 2.4.1, when using spinlocks, allows local users to create or set world-writable openCryptoki before 2.4.1, when using spinlocks, allows local users to create or set world-writable permissions on arbitrary files via a symlink attack on the (1) .pkapi_xpk or (2) .pkcs11spinloc file in /tmp.