Main Vulnerability Database Vulnerabilities #VU125982

#VU125982 Out-of-bounds read in Opencryptoki - CVE-2026-40253

Published: April 14, 2026

Vulnerability identifier: #VU125982

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-40253

CWE-ID: CWE-125

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
Opencryptoki

Software vendor:
Opencryptoki Project

Description

The vulnerability allows a remote attacker to disclose sensitive information and cause a denial of service.

The vulnerability exists due to out-of-bounds read in BER/DER decoding functions in usr/lib/common/asn1.c when parsing malformed BER-encoded cryptographic objects with attacker-controlled length fields. A remote attacker can supply a specially crafted key or certificate to disclose sensitive information and cause a denial of service.

The issue affects the shared common library and impacts all token backends, including Soft, ICA, CCA, TPM, EP11, and ICSF.

Remediation

Install security update from vendor's website.

External links

https://github.com/opencryptoki/opencryptoki/security/advisories/GHSA-c9cf-6vr4-wfxm

#VU125982 Out-of-bounds read in Opencryptoki - CVE-2026-40253

Description

Remediation

External links

Please verify you're human