2429335 – (CVE-2026-22791) CVE-2026-22791 openCryptoki: openCryptoki: Denial of Service and heap corruption via heap buffer overflow

Bug 2429335 (CVE-2026-22791) - CVE-2026-22791 openCryptoki: openCryptoki: Denial of Service and heap corruption via heap buffer overflow

Summary: CVE-2026-22791 openCryptoki: openCryptoki: Denial of Service and heap corrupt...

Keywords:
Status:	NEW
Alias:	CVE-2026-22791
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-13 20:02 UTC by OSIDB Bzimport
Modified:	2026-01-19 16:59 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-01-13 20:02:34 UTC

openCryptoki is a PKCS#11 library and tools for Linux and AIX. In 3.25.0 and 3.26.0, there is a heap buffer overflow vulnerability in the CKM_ECDH_AES_KEY_WRAP implementation allows an attacker with local access to cause out-of-bounds writes in the host process by supplying a compressed EC public key and invoking C_WrapKey. This can lead to heap corruption, or denial-of-service.

Note You need to log in before you can comment on or make changes to this bug.