Bug 2459076 (CVE-2026-40253) - CVE-2026-40253 openCryptoki: openCryptoki: Information disclosure and Denial of Service via malformed BER-encoded cryptographic objects
Summary: CVE-2026-40253 openCryptoki: openCryptoki: Information disclosure and Denial ...
Keywords:
Status: NEW
Alias: CVE-2026-40253
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-04-16 23:01 UTC by OSIDB Bzimport
Modified: 2026-06-30 14:12 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2026:26352 0 None None None 2026-06-16 15:41:35 UTC
Red Hat Product Errata RHSA-2026:28231 0 None None None 2026-06-23 18:13:31 UTC
Red Hat Product Errata RHSA-2026:28256 0 None None None 2026-06-23 18:42:16 UTC
Red Hat Product Errata RHSA-2026:33519 0 None None None 2026-06-30 14:12:36 UTC

Description OSIDB Bzimport 2026-04-16 23:01:22 UTC
openCryptoki is a PKCS#11 library and provides tooling for Linux and AIX. In versions 3.26.0 and below, the BER/DER decoding functions in the shared common library (asn1.c) accept a raw pointer but no buffer length parameter, and trust attacker-controlled BER length fields without validating them against actual buffer boundaries. All primitive decoders are affected: ber_decode_INTEGER, ber_decode_SEQUENCE, ber_decode_OCTET_STRING, ber_decode_BIT_STRING, and ber_decode_CHOICE. Additionally, ber_decode_INTEGER can produce integer underflows when the encoded length is zero. An attacker supplying a malformed BER-encoded cryptographic object through PKCS#11 operations such as C_CreateObject or C_UnwrapKey, token loading from disk, or remote backend communication can trigger out-of-bounds reads. This affects all token backends (Soft, ICA, CCA, TPM, EP11, ICSF) since the vulnerable code is in the shared common library. A patch is available thorugh commit ed378f463ef73364c89feb0fc923f4dc867332a3.

Comment 4 errata-xmlrpc 2026-06-16 15:41:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:26352 https://access.redhat.com/errata/RHSA-2026:26352

Comment 5 errata-xmlrpc 2026-06-23 18:13:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:28231 https://access.redhat.com/errata/RHSA-2026:28231

Comment 6 errata-xmlrpc 2026-06-23 18:42:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:28256 https://access.redhat.com/errata/RHSA-2026:28256

Comment 7 errata-xmlrpc 2026-06-30 14:12:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Update Services for SAP Solutions

Via RHSA-2026:33519 https://access.redhat.com/errata/RHSA-2026:33519


Note You need to log in before you can comment on or make changes to this bug.