Platform
c
Component
opencryptoki
Fixed in
3.26.1
CVE-2026-40253 describes a vulnerability in openCryptoki, a PKCS#11 library for Linux and AIX. This flaw stems from insufficient validation of BER (Basic Encoding Rules) length fields during decoding, potentially leading to memory corruption. Versions 1.0.0 through 3.26.0 are affected, and a patch is available in version 3.26.1.
An attacker can exploit this vulnerability by crafting malicious BER/DER encoded data and providing it to the openCryptoki library. The absence of proper buffer length checks allows the attacker to manipulate the decoding process, potentially overwriting memory regions and gaining control of the application or system. This could lead to arbitrary code execution, denial of service, or information disclosure. The vulnerability affects multiple primitive decoders, increasing the attack surface. The integer underflow in berdecodeINTEGER adds another potential attack vector.
This vulnerability was publicly disclosed on 2026-04-16. Currently, there are no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog. The EPSS score is pending evaluation, but the potential for memory corruption suggests a medium to high probability of exploitation if a suitable exploit is developed.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to openCryptoki version 3.26.1 or later, which includes the necessary buffer length validation fixes. If upgrading is not immediately feasible, consider implementing input validation on the BER/DER data before passing it to openCryptoki. While a WAF or proxy cannot directly mitigate this vulnerability, they can be configured to block suspicious BER/DER encoded payloads based on known patterns. Monitor system logs for unusual memory access patterns or crashes related to openCryptoki.
Update the openCryptoki library to version 3.26.1 or higher to mitigate the memory safety vulnerabilities. The update corrects the lack of buffer boundary validation in the BER/DER decoders, thus preventing potential out-of-bounds reads.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40253 is a medium severity vulnerability affecting openCryptoki versions 1.0.0 through 3.26.0. It allows attackers to trigger memory corruption due to insufficient buffer length validation during BER/DER decoding.
If you are using openCryptoki versions 1.0.0 through 3.26.0, you are potentially affected. Check your system's openCryptoki version and upgrade if necessary.
Upgrade to openCryptoki version 3.26.1 or later to resolve the vulnerability. If upgrading is not possible, implement input validation on BER/DER data.
As of now, there are no known public exploits or active campaigns targeting CVE-2026-40253, but the potential for exploitation exists.
Refer to the openCryptoki project's official website or security mailing list for the latest advisory and updates regarding CVE-2026-40253.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.