openCryptoki 2.3.2 on Linux/AIX link following

Summaryinfo

A vulnerability identified as critical has been detected in openCryptoki 2.3.2 on Linux/AIX. This affects an unknown part. Performing a manipulation results in link following. This vulnerability is reported as CVE-2026-23893. The attack requires a local approach. No exploit exists. You should upgrade the affected component.

Detailsinfo

A vulnerability was found in openCryptoki 2.3.2 on Linux/AIX. It has been classified as critical. This affects some unknown functionality. The manipulation with an unknown input leads to a link following vulnerability. CWE is classifying the issue as CWE-59. The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:

openCryptoki is a PKCS#11 library and provides tooling for Linux and AIX. Versions 2.3.2 and above are vulnerable to symlink-following when running in privileged contexts. A token-group user can redirect file operations to arbitrary filesystem targets by planting symlinks in group-writable token directories, resulting in privilege escalation or data exposure. Token and lock directories are 0770 (group-writable for token users), so any token-group member can plant files and symlinks inside them. When run as root, the base code handling token directory file access, as well as several openCryptoki tools used for administrative purposes, may reset ownership or permissions on existing files inside the token directories. An attacker with token-group membership can exploit the system when an administrator runs a PKCS#11 application or administrative tool that performs chown on files inside the token directory during normal maintenance. This issue is fixed in commit 5e6e4b4, but has not been included in a released version at the time of publication.

It is possible to read the advisory at github.com. This vulnerability is uniquely identified as CVE-2026-23893 since 01/16/2026. The exploitability is told to be easy. Attacking locally is a requirement. The technical details are unknown and an exploit is not publicly available.

The vulnerability scanner Nessus provides a plugin with the ID 297428 (openSUSE 15 Security Update : openCryptoki (SUSE-SU-2026:0351-1)), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 2.3.2 eliminates this vulnerability. Applying the patch 5e6e4b42f2b1fcc1e4ef1b920e463bfa55da8b45 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the databases at Tenable (297428), EUVD (EUVD-2026-4203) and CERT Bund (WID-SEC-2026-0756). Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Affected

• Red Hat Enterprise Linux
• Fedora Linux
• SUSE Linux
• Oracle Linux
• RESF Rocky Linux

Productinfo

Name

• openCryptoki

Version

• 2.3.2

License

• open-source

Website

• Product: https://github.com/opencryptoki/opencryptoki/

CPE 2.3info

• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion