CVE-2026-22791 – openCryptoki versions 3.25.0 and 3.26.0 contain... (How to Fix)

Q: What is the severity of CVE-2026-22791?

CVE-2026-22791 has a CVSS score of 6.6 (MEDIUM). openCryptoki versions 3.25.0 and 3.26.0 contain a heap buffer overflow vulnerability in the CKM_ECDH_AES_KEY_WRAP implementation. An attacker with local access can supply a compressed EC public key and invoke C_WrapKey to cause out-of-bounds writes, potentially leading to heap corruption or denial-of-service. This affects systems using openCryptoki for PKCS#11 cryptographic operations on Linux and AIX.

📋 TL;DR

openCryptoki versions 3.25.0 and 3.26.0 contain a heap buffer overflow vulnerability in the CKM_ECDH_AES_KEY_WRAP implementation. An attacker with local access can supply a compressed EC public key and invoke C_WrapKey to cause out-of-bounds writes, potentially leading to heap corruption or denial-of-service. This affects systems using openCryptoki for PKCS#11 cryptographic operations on Linux and AIX.

💻 Affected Systems

Products:

openCryptoki

Versions: 3.25.0 and 3.26.0

Operating Systems: Linux, AIX

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems where openCryptoki is installed and the vulnerable CKM_ECDH_AES_KEY_WRAP mechanism is used.

📦 What is this software?

Opencryptoki by Opencryptoki Project

View all CVEs affecting Opencryptoki →

Opencryptoki by Opencryptoki Project

View all CVEs affecting Opencryptoki →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Heap corruption leading to arbitrary code execution in the host process, potentially compromising cryptographic keys and system integrity.

🟠

Likely Case

Denial-of-service through process crashes or memory corruption, disrupting cryptographic operations.

🟢

If Mitigated

Limited to denial-of-service if exploit attempts are detected and blocked, with no privilege escalation.

🌐 Internet-Facing: LOW - Requires local access to the system, not directly exploitable over network.

🏢 Internal Only: MEDIUM - Local attackers or compromised accounts could exploit this to disrupt services or potentially escalate privileges.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and knowledge of PKCS#11 API calls. The vulnerability is in a specific cryptographic operation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after commits 785d7577e1477d12fbe235554e7e7b24f2de34b7 and e37e9127deeeb7bf3c3c4d852c594256c57ec3a8

Vendor Advisory: https://github.com/opencryptoki/opencryptoki/security/advisories/GHSA-26f5-3mwq-4wm7

Restart Required: Yes

Instructions:

1. Update openCryptoki to a patched version. 2. Apply commits 785d7577e1477d12fbe235554e7e7b24f2de34b7 and e37e9127deeeb7bf3c3c4d852c594256c57ec3a8 if building from source. 3. Restart services using openCryptoki.

🔧 Temporary Workarounds

Disable CKM_ECDH_AES_KEY_WRAP mechanism

linux

Prevent use of the vulnerable cryptographic mechanism if not required.

Modify PKCS#11 configuration to disable CKM_ECDH_AES_KEY_WRAP in mechanism lists.

🧯 If You Can't Patch

Restrict local access to systems running openCryptoki to trusted users only.
Monitor for abnormal process crashes or memory usage in openCryptoki-related services.

🔍 How to Verify

Check if Vulnerable:

Check openCryptoki version: dpkg -l opencryptoki or rpm -q opencryptoki. If version is 3.25.0 or 3.26.0, system is vulnerable.

Check Version:

dpkg -l opencryptoki 2>/dev/null || rpm -q opencryptoki 2>/dev/null || echo 'Check package manager or source version'

Verify Fix Applied:

Verify version is not 3.25.0 or 3.26.0, or check that commits 785d7577e1477d12fbe235554e7e7b24f2de34b7 and e37e9127deeeb7bf3c3c4d852c594256c57ec3a8 are applied in source builds.

📡 Detection & Monitoring

Log Indicators:

Process crashes of openCryptoki-related services
Error logs mentioning C_WrapKey failures or memory corruption

Network Indicators:

None - local exploitation only

SIEM Query:

Process:name="opencryptoki" AND (EventID:1000 OR "segmentation fault" OR "heap corruption")

📊 Metadata

CVE ID: CVE-2026-22791

CVSS v3 Score: 6.6 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

CWE: CWE-131

EPSS Score: 0.02% exploit probability (2.7th percentile)

Published: January 13, 2026

Last Updated: February 3, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22791, you might also want to check these: