Main Vulnerability Database SB20260414107

SB20260414107 - Denial of service in Opencryptoki

Published: April 14, 2026

Security Bulletin ID SB20260414107

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Local access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Out-of-bounds read (CVE-ID: CVE-2026-40253)

The vulnerability allows a remote attacker to disclose sensitive information and cause a denial of service.

The vulnerability exists due to out-of-bounds read in BER/DER decoding functions in usr/lib/common/asn1.c when parsing malformed BER-encoded cryptographic objects with attacker-controlled length fields. A remote attacker can supply a specially crafted key or certificate to disclose sensitive information and cause a denial of service.

The issue affects the shared common library and impacts all token backends, including Soft, ICA, CCA, TPM, EP11, and ICSF.

Remediation

Install update from vendor's website.

References

https://github.com/opencryptoki/opencryptoki/security/advisories/GHSA-c9cf-6vr4-wfxm