Bug 2431909 (CVE-2026-23893)

Summary: CVE-2026-23893 openCryptoki: openCryptoki: Privilege Escalation or Data Exposure via Symlink Following
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: rhel-process-autobot, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in openCryptoki, a PKCS#11 library and tooling for Linux and AIX. A token-group user can exploit a symlink-following vulnerability by planting symbolic links in group-writable token directories. When an administrator runs a PKCS#11 application or administrative tool as root, it may reset ownership or permissions on existing files within these directories. This can lead to privilege escalation or the exposure of sensitive data.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2432016, 2432017    
Bug Blocks:    

Description OSIDB Bzimport 2026-01-22 01:01:54 UTC
openCryptoki is a PKCS#11 library and provides tooling for Linux and AIX. Versions 2.3.2 and above are vulnerable to symlink-following when running in privileged contexts. A token-group user can redirect file operations to arbitrary filesystem targets by planting symlinks in group-writable token directories, resulting in privilege escalation or data exposure. Token and lock directories are 0770 (group-writable for token users), so any token-group member can plant files and symlinks inside them. When run as root, the base code handling token directory file access, as well as several openCryptoki tools used for administrative purposes, may reset ownership or permissions on existing files inside the token directories. An attacker with token-group membership can exploit the system when an administrator runs a PKCS#11 application or administrative tool that performs chown on files inside the token directory during normal maintenance. This issue is fixed in commit 5e6e4b4, but has not been included in a released version at the time of publication.

Comment 2 errata-xmlrpc 2026-03-17 10:33:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:4717 https://access.redhat.com/errata/RHSA-2026:4717

Comment 3 errata-xmlrpc 2026-03-24 10:25:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:5587 https://access.redhat.com/errata/RHSA-2026:5587

Comment 4 errata-xmlrpc 2026-03-24 10:29:47 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:5603 https://access.redhat.com/errata/RHSA-2026:5603

Comment 5 errata-xmlrpc 2026-03-26 10:13:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:5917 https://access.redhat.com/errata/RHSA-2026:5917

Comment 6 errata-xmlrpc 2026-03-26 10:50:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:5919 https://access.redhat.com/errata/RHSA-2026:5919

Comment 7 errata-xmlrpc 2026-03-30 01:42:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:6006 https://access.redhat.com/errata/RHSA-2026:6006