CVE-2026-32953

Description

Tillitis TKey Client package is a Go package for a TKey client. Versions 1.2.0 and below contain a critical bug in the tkeyclient Go module which causes 1 out of every 256 User Supplied Secrets (USS) to be silently ignored, producing the same Compound Device Identifier (CDI)—and thus the same key material—as if no USS is provided. This happens because a buffer index error overwrites the USS-enabled boolean with the first byte of the USS digest, so any USS whose hash starts with 0x00 is effectively discarded. This issue has been fixed in version 1.3.0. Users unable to upgrade immediately should switch to a USS whose hash does not begin with a zero byte.

CVSS Details

CVSS Score

4.6

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:tillitis:tkey_client:*:*:*:*:*:go:*:* - VULNERABLE

Tillitis TKey Client <= 1.2.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

package main

import (
	"crypto/sha256"
	"encoding/hex"
	"fmt"
)

// Simulating the vulnerable buffer index error logic
demonstrateVulnerability := func(uss string) {
	// Hash the User Supplied Secret (USS)
	hash := sha256.Sum256([]byte(uss))
	ussEnabled := true // Assume USS is intended to be used

	fmt.Printf("USS: %s\n", uss)
	fmt.Printf("Hash: %s\n", hex.EncodeToString(hash[:]))

	// VULNERABLE CODE SIMULATION:
	// The buffer index error causes the first byte of the USS digest
	// to overwrite the ussEnabled boolean variable.
	// In Go, if we treat the boolean memory as a byte, 0x00 is false.
	firstByte := hash[0]
	
	// Simulating the overwrite
	if firstByte == 0x00 {
		ussEnabled = false 
	}

	fmt.Printf("First byte of hash: 0x%02x\n", firstByte)
	if ussEnabled {
		fmt.Println("Result: USS is APPLIED (Secure)")
	} else {
		fmt.Println("Result: USS is IGNORED (Vulnerable - CDI same as no USS)")
	}
	fmt.Println("---")
}

func main() {
	// Case 1: A hash starting with non-00 (Safe)
	demonstrateVulnerability("normal_secret_data")

	// Case 2: Attempt to find a hash starting with 00 (Vulnerable)
	// For demonstration, we just simulate the logic for a specific input
	// that results in 0x00, or explain the probability.
	// Since we can't easily find a collision in a simple example, 
	// we force the logic to show the vulnerable state.
	
	fmt.Println("Simulating a hash starting with 0x00...")
	hash := sha256.Sum256([]byte("some_input"))
	// Manually setting first byte to 0x00 for demonstration of the bug consequence
	hash[0] = 0x00
	
	ussEnabled := true
	if hash[0] == 0x00 {
		ussEnabled = false
	}
	
	fmt.Printf("Hash starts with: 0x%02x\n", hash[0])
	if !ussEnabled {
		fmt.Println("Result: USS is IGNORED (Vulnerable - CDI same as no USS)")
	}
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-32953
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-32953
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-32953/
[4] VulDB https://vuldb.com/cve/CVE-2026-32953
[5] https://github.com/tillitis/tkeyclient/commit/4954dccf0287657edf8d405057e134cdff9c59e8
[6] https://github.com/tillitis/tkeyclient/releases/tag/v1.3.0
[7] https://github.com/tillitis/tkeyclient/security/advisories/GHSA-4w7r-3222-8h6v

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-32953", "sourceIdentifier": "[email protected]", "published": "2026-03-20T05:16:14.720", "lastModified": "2026-04-16T13:14:09.187", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Tillitis TKey Client package is a Go package for a TKey client. Versions 1.2.0 and below contain a critical bug in the tkeyclient Go module which causes 1 out of every 256 User Supplied Secrets (USS) to be silently ignored, producing the same Compound Device Identifier (CDI)—and thus the same key material—as if no USS is provided. This happens because a buffer index error overwrites the USS-enabled boolean with the first byte of the USS digest, so any USS whose hash starts with 0x00 is effectively discarded. This issue has been fixed in version 1.3.0. Users unable to upgrade immediately should switch to a USS whose hash does not begin with a zero byte."}, {"lang": "es", "value": "El paquete Tillitis TKey Client es un paquete Go para un cliente TKey. Las versiones 1.2.0 e inferiores contienen un error crítico en el módulo Go tkeyclient que provoca que 1 de cada 256 Secretos Suministrados por el Usuario (USS) sea ignorado silenciosamente, produciendo el mismo Identificador de Dispositivo Compuesto (CDI) —y por lo tanto el mismo material de clave— como si no se proporcionara ningún USS. Esto ocurre porque un error de índice de búfer sobrescribe el booleano USS-enabled con el primer byte del resumen del USS, por lo que cualquier USS cuyo hash comience con 0x00 es efectivamente descartado. Este problema ha sido solucionado en la versión 1.3.0. Los usuarios que no puedan actualizar inmediatamente deberían cambiar a un USS cuyo hash no comience con un byte cero."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 4.6, "baseSeverity": "MEDIUM", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-303"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:tillitis:tkey_client:*:*:*:*:*:go:*:*", "versionEndExcluding": "1.3.0", "matchCriteriaId": "69DA71F2-9C6E-443F-977D-480ED94F7BCB"}]}]}], "references": [{"url": "https://github.com/tillitis/tkeyclient/commit/4954dccf0287657edf8d405057e134cdff9c59e8", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/tillitis/tkeyclient/releases/tag/v1.3.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/tillitis/tkeyclient/security/advisories/GHSA-4w7r-3222-8h6v", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}