What is CVE-2026-40253?

CVE-2026-40253 is a medium-severity vulnerability in Opencryptoki, classified under Out-of-bounds Read. CVSS score: 6.8/10. Published 2026-04-16.

How severe is CVE-2026-40253?

Medium severity. CVSS v3 base score is 6.8 out of 10.

Out-of-bounds Read in Opencryptoki

CVE-2026-40253

openCryptoki is a PKCS#11 library and provides tooling for Linux and AIX. In versions 3.26.0 and below, the BER/DER decoding functions in the shared common library (asn1.c) accept a raw pointer but no buffer length parameter, and trust att…

Vulnerability class: Buffer Overflow

EPSS: 0.000 (5.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.8 (Medium). Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H.

Affected products

Opencryptoki — versions <= 3.26.0

Weakness classification (CWE)

CWE-125 — Out-of-bounds Read

References

https://github.com/opencryptoki/opencryptoki/security/advisories/GHSA-c9cf-6vr4-wfxm (x_refsource_CONFIRM)
https://github.com/opencryptoki/opencryptoki/commit/ed378f463ef73364c89feb0fc923f4dc867332a3 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-40253?: CVE-2026-40253 is a medium-severity vulnerability in Opencryptoki, classified under Out-of-bounds Read. CVSS score: 6.8/10. Published 2026-04-16.
How severe is CVE-2026-40253?: Medium severity. CVSS v3 base score is 6.8 out of 10.