{"id":"CVE-2026-23893","summary":"openCryptoki has improper link resolution before file access (link following)","details":"openCryptoki is a PKCS#11 library and provides tooling for Linux and AIX. Versions 2.3.2 and above are vulnerable to symlink-following when running in privileged contexts. A token-group user can redirect file operations to arbitrary filesystem targets by planting symlinks in group-writable token directories, resulting in privilege escalation or data exposure. Token and lock directories are 0770 (group-writable for token users), so any token-group member can plant files and symlinks inside them. When run as root, the base code handling token directory file access, as well as several openCryptoki tools used for administrative purposes, may reset ownership or permissions on existing files inside the token directories. An attacker with token-group membership can exploit the system when an administrator runs a PKCS#11 application or administrative tool that performs chown on files inside the token directory during normal maintenance. This issue is fixed in commit 5e6e4b4, but has not been included in a released version at the time of publication.","aliases":["GHSA-j6c7-mvpx-jx5q"],"modified":"2026-05-05T18:29:21.872041569Z","published":"2026-01-22T00:01:43.521Z","related":["ALSA-2026:4717","ALSA-2026:5587","ALSA-2026:5603","SUSE-SU-2026:0351-1","SUSE-SU-2026:0481-1","SUSE-SU-2026:0569-1","SUSE-SU-2026:0581-1","SUSE-SU-2026:0824-1","SUSE-SU-2026:20345-1","SUSE-SU-2026:20434-1","SUSE-SU-2026:21419-1","SUSE-SU-2026:21455-1","openSUSE-SU-2026:10086-1","openSUSE-SU-2026:20233-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23893.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-59"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23893.json"},{"type":"ADVISORY","url":"https://github.com/opencryptoki/opencryptoki/security/advisories/GHSA-j6c7-mvpx-jx5q"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23893"},{"type":"FIX","url":"https://github.com/opencryptoki/opencryptoki/commit/5e6e4b42f2b1fcc1e4ef1b920e463bfa55da8b45"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/opencryptoki/opencryptoki","events":[{"introduced":"0"},{"fixed":"5e6e4b42f2b1fcc1e4ef1b920e463bfa55da8b45"}]}],"versions":["v2.3.2","v2.3.3","v2.4.3","v2.4.3.1","v3.0","v3.1","v3.10.0","v3.11.0","v3.11.1","v3.12.0","v3.12.1","v3.13.0","v3.14.0","v3.15.0","v3.15.1","v3.16.0","v3.17.0","v3.18.0","v3.19.0","v3.2","v3.20.0","v3.21.0","v3.22.0","v3.23.0","v3.24.0","v3.25.0","v3.26.0","v3.3","v3.4","v3.4.1","v3.5","v3.6","v3.6.1","v3.6.2","v3.7.0","v3.8.0","v3.8.1","v3.8.2","v3.9.0"],"database_specific":{"vanir_signatures":[{"signature_type":"Function","signature_version":"v1","id":"CVE-2026-23893-093775c1","digest":{"length":466,"function_hash":"54995883240599984587089555980828417381"},"deprecated":false,"source":"https://github.com/opencryptoki/opencryptoki/commit/5e6e4b42f2b1fcc1e4ef1b920e463bfa55da8b45","target":{"file":"usr/lib/common/loadsave.c","function":"open_token_nvdat_new"}},{"signature_type":"Function","signature_version":"v1","target":{"file":"usr/lib/icsf_stdll/pbkdf.c","function":"secure_racf"},"digest":{"length":1264,"function_hash":"51081220938057829058675509396169401593"},"source":"https://github.com/opencryptoki/opencryptoki/commit/5e6e4b42f2b1fcc1e4ef1b920e463bfa55da8b45","deprecated":false,"id":"CVE-2026-23893-116052df"},{"signature_type":"Function","signature_version":"v1","id":"CVE-2026-23893-1a73f1e1","digest":{"length":1667,"function_hash":"106663813666013570919063915365852190943"},"source":"https://github.com/opencryptoki/opencryptoki/commit/5e6e4b42f2b1fcc1e4ef1b920e463bfa55da8b45","deprecated":false,"target":{"file":"usr/sbin/pkcstok_admin/pkcstok_admin.c","function":"set_file_permissions"}},{"signature_type":"Function","signature_version":"v1","target":{"file":"usr/lib/common/loadsave.c","function":"open_token_object_path_new"},"digest":{"length":337,"function_hash":"71721029755356685450949780482580700831"},"deprecated":false,"source":"https://github.com/opencryptoki/opencryptoki/commit/5e6e4b42f2b1fcc1e4ef1b920e463bfa55da8b45","id":"CVE-2026-23893-281048d0"},{"signature_type":"Function","signature_version":"v1","target":{"file":"usr/lib/common/loadsave.c","function":"load_token_data"},"digest":{"length":3102,"function_hash":"99321750040856286238943382644680334507"},"deprecated":false,"source":"https://github.com/opencryptoki/opencryptoki/commit/5e6e4b42f2b1fcc1e4ef1b920e463bfa55da8b45","id":"CVE-2026-23893-2ed17952"},{"signature_type":"Function","signature_version":"v1","target":{"file":"usr/lib/common/loadsave.c","function":"open_token_data_store_path_new"},"digest":{"length":337,"function_hash":"71721029755356685450949780482580700831"},"deprecated":false,"source":"https://github.com/opencryptoki/opencryptoki/commit/5e6e4b42f2b1fcc1e4ef1b920e463bfa55da8b45","id":"CVE-2026-23893-3e3566b5"},{"signature_type":"Function","signature_version":"v1","target":{"file":"usr/sbin/pkcstok_migrate/pkcstok_migrate.c","function":"open_datastore_file"},"digest":{"length":421,"function_hash":"112938376403105543780404004769527279708"},"deprecated":false,"source":"https://github.com/opencryptoki/opencryptoki/commit/5e6e4b42f2b1fcc1e4ef1b920e463bfa55da8b45","id":"CVE-2026-23893-441e9e27"},{"signature_type":"Line","signature_version":"v1","target":{"file":"usr/lib/icsf_stdll/pbkdf.c"},"digest":{"line_hashes":["232692319011180973662454341943768431692","338774322811513180029831631912795480188","48597585850705040495417696806729802898","12074691428719386539703228071107634016","193473049795777956517093971684203995300","14915543135081216729983455335839427619","273936134344065685892466455514074994246","142203977544804320496300886112125593267","143791475590861636744304060821988232903","23883007264496879109762009740824156759","315661823104481231728535348967335530088","16171389934874196076797818715270955059","109512824865312847965608463776163181686","142203977544804320496300886112125593267","143791475590861636744304060821988232903","23883007264496879109762009740824156759"],"threshold":0.9},"source":"https://github.com/opencryptoki/opencryptoki/commit/5e6e4b42f2b1fcc1e4ef1b920e463bfa55da8b45","deprecated":false,"id":"CVE-2026-23893-49f8babd"},{"signature_type":"Function","signature_version":"v1","target":{"file":"usr/sbin/pkcstok_migrate/pkcstok_migrate.c","function":"open_tokenobject"},"digest":{"length":478,"function_hash":"15486492430361592333337751580850392468"},"deprecated":false,"source":"https://github.com/opencryptoki/opencryptoki/commit/5e6e4b42f2b1fcc1e4ef1b920e463bfa55da8b45","id":"CVE-2026-23893-5a47bb2b"},{"signature_type":"Function","signature_version":"v1","id":"CVE-2026-23893-66485731","digest":{"length":1502,"function_hash":"91116549735462635982536309051617112503"},"deprecated":false,"source":"https://github.com/opencryptoki/opencryptoki/commit/5e6e4b42f2b1fcc1e4ef1b920e463bfa55da8b45","target":{"file":"usr/lib/icsf_stdll/pbkdf.c","function":"secure_masterkey"}},{"signature_type":"Line","signature_version":"v1","id":"CVE-2026-23893-8fe56124","digest":{"line_hashes":["15489671424757511020912882242782482136","56666132376499984288052280688221580613","158449444873556860885972804391762073952","100472049655531559899378098258231666944","244177069022243385396206698881351270744","203829818632413880699518888193297678970"],"threshold":0.9},"deprecated":false,"source":"https://github.com/opencryptoki/opencryptoki/commit/5e6e4b42f2b1fcc1e4ef1b920e463bfa55da8b45","target":{"file":"usr/lib/hsm_mk_change/hsm_mk_change.c"}},{"signature_type":"Function","signature_version":"v1","id":"CVE-2026-23893-97c2ea35","digest":{"length":725,"function_hash":"117831461944000559904126988964586570902"},"deprecated":false,"source":"https://github.com/opencryptoki/opencryptoki/commit/5e6e4b42f2b1fcc1e4ef1b920e463bfa55da8b45","target":{"file":"usr/lib/hsm_mk_change/hsm_mk_change.c","function":"hsm_mk_change_op_open"}},{"signature_type":"Function","signature_version":"v1","target":{"file":"usr/lib/common/loadsave.c","function":"load_token_data_old"},"digest":{"length":1395,"function_hash":"111255980867171939970060829937353436730"},"deprecated":false,"source":"https://github.com/opencryptoki/opencryptoki/commit/5e6e4b42f2b1fcc1e4ef1b920e463bfa55da8b45","id":"CVE-2026-23893-a69d82b3"},{"signature_type":"Function","signature_version":"v1","target":{"file":"usr/lib/common/loadsave.c","function":"open_token_nvdat"},"digest":{"length":285,"function_hash":"272456828484596273941411820997138857"},"source":"https://github.com/opencryptoki/opencryptoki/commit/5e6e4b42f2b1fcc1e4ef1b920e463bfa55da8b45","deprecated":false,"id":"CVE-2026-23893-b1062670"},{"signature_type":"Line","signature_version":"v1","id":"CVE-2026-23893-c2acf479","digest":{"line_hashes":["280571626916806133518066190685586719479","287870964696176360281130889098607678913","9767560235661784800692617313763495547","219769479816456674198607557357721478","274769757231512652205366398615871044233","3990901327397347428143804364247118291","237642658403159821166494880470204905459","97794115704669144699332225616646120293","124835335388175471766732942796414137141","105953133696313076935973892769727722614","229507315523916291202560026861601279664","3990901327397347428143804364247118291","237642658403159821166494880470204905459","97794115704669144699332225616646120293","124835335388175471766732942796414137141","324877215732406300873702252400477822721"],"threshold":0.9},"deprecated":false,"source":"https://github.com/opencryptoki/opencryptoki/commit/5e6e4b42f2b1fcc1e4ef1b920e463bfa55da8b45","target":{"file":"usr/sbin/pkcstok_migrate/pkcstok_migrate.c"}},{"signature_type":"Line","signature_version":"v1","id":"CVE-2026-23893-c3e5cd52","digest":{"line_hashes":["325268889751873915955488672694862286917","81019575694286998921099733523581017926","91016232480879095167974774722527008198","195753208025006993936672397492639233192","17447036333962650099765398705214614392","255545558299416394574598849612904940267","183998400731119695457177702523978787835"],"threshold":0.9},"source":"https://github.com/opencryptoki/opencryptoki/commit/5e6e4b42f2b1fcc1e4ef1b920e463bfa55da8b45","deprecated":false,"target":{"file":"usr/sbin/pkcstok_admin/pkcstok_admin.c"}},{"signature_type":"Function","signature_version":"v1","id":"CVE-2026-23893-c4b02a64","digest":{"length":230,"function_hash":"243142129204337719481968259306443535278"},"deprecated":false,"source":"https://github.com/opencryptoki/opencryptoki/commit/5e6e4b42f2b1fcc1e4ef1b920e463bfa55da8b45","target":{"file":"usr/lib/common/loadsave.c","function":"open_token_object_path"}},{"signature_type":"Line","signature_version":"v1","target":{"file":"usr/lib/common/loadsave.c"},"digest":{"line_hashes":["130219788216953307054710459626689921233","294625770732324824625974576292103679055","257954285725009178230658651815137998107","167143830701308531890689927665050979838","128648974904001907052833009964738541098","175775836956429672429260993113560017249","78720257673986359827460233912024815040","181455789857229613379344126191956298384","106826496157657451059027983665302831416","139549456515988918371305880507454612401","293092264195465612810696372578670431403","243854042999176139920443898044625671487","194960390909016368175620159678663867842","279683447924522305520958689135361899769","339237101718259831679288574873807772619","254212817142562591388885905243809012447","148983836213744675063194612611783035005","139509022303178156244081370121091959836","191338976358706243786390043380144929493","299517248325820598649125824886981893808","137169632033227037137342236478250802979","56538033647642063674930510337031613098","38467512979560911779400175011373844348","181455789857229613379344126191956298384","136063553657180942228748821372163794857","162657615778819703616094192885373254785","218403680927816803241778978616055643585","335363227638044916594014365792755763345","181322505521843405221618670548549931052","69637511809283748232363421763824155348","211660894862885708697540226681030023359","137231143477895339074556468446772638020","159421425504938635231275143303688374859","78253367602443550355323842337772277390","308425347313441483835631312836540163091","334523749171541979181658898836002679589","198021045692023733089118434588128805774","27806316873157449691677940394486174283","77344792549735925347411389177582763474","123941886387381210931555224572376598460","127932408877787759099760061025156436861","161266098772576260652484671742899828835","58674320299942814967629062051270028255","60951060684505256837575595747644506255","216697905415821480145657116243964013904","210869832628315581952964663617004346584","256210714852083557382067308706369661777","64991708944156202001775677949794399595","304165402018018738166441466156160729512","77125046306906251798439866907211187425","224286995324978286769175750843806532607","73080787325081027132854644292194465905","173057743506180414131403848713498998241","242636471791832004156266191875640524918","169964868101435517502305362017044922823","258267237471711476227122626177075212724","78953980434430817897684613704059268819","323909407104312641797712777510345357190","312789429515076323851241134762459607949","99681048147998807206779166834130966885","166932185762198165041346672526717960541","212950135753253752300602183636059321370","78953980434430817897684613704059268819","323909407104312641797712777510345357190","312789429515076323851241134762459607949","99681048147998807206779166834130966885","166932185762198165041346672526717960541","212950135753253752300602183636059321370"],"threshold":0.9},"deprecated":false,"source":"https://github.com/opencryptoki/opencryptoki/commit/5e6e4b42f2b1fcc1e4ef1b920e463bfa55da8b45","id":"CVE-2026-23893-c538da08"},{"signature_type":"Function","signature_version":"v1","id":"CVE-2026-23893-df8f5ecd","digest":{"length":982,"function_hash":"244029561252816256467181772674295486006"},"source":"https://github.com/opencryptoki/opencryptoki/commit/5e6e4b42f2b1fcc1e4ef1b920e463bfa55da8b45","deprecated":false,"target":{"file":"usr/lib/common/loadsave.c","function":"save_token_object"}},{"signature_type":"Line","signature_version":"v1","id":"CVE-2026-23893-ece7ebb3","digest":{"line_hashes":["207437830062298550604623743444277200826","216086377252909109603564529820630454675","74890764580114757864662279854242840419","184468190930561991425453130626618712819"],"threshold":0.9},"deprecated":false,"source":"https://github.com/opencryptoki/opencryptoki/commit/5e6e4b42f2b1fcc1e4ef1b920e463bfa55da8b45","target":{"file":"usr/lib/common/platform.h"}},{"signature_type":"Function","signature_version":"v1","target":{"file":"usr/lib/common/loadsave.c","function":"open_token_data_store_path"},"digest":{"length":230,"function_hash":"243142129204337719481968259306443535278"},"deprecated":false,"source":"https://github.com/opencryptoki/opencryptoki/commit/5e6e4b42f2b1fcc1e4ef1b920e463bfa55da8b45","id":"CVE-2026-23893-fdc12d6a"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23893.json","vanir_signatures_modified":"2026-04-12T20:23:13Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L"}]}