openCryptoki, Symlink Following, CVE-2026-23893 (Medium)

Listen to this Post

openCryptoki, a PKCS11 library for Linux and AIX, versions 2.3.2 and above, contains a vulnerability where it improperly resolves links before file access (CWE-59). The core issue is that token and lock directories are created with group-writable permissions (0770), allowing any member of the token group to plant files or symbolic links. When an administrator runs a privileged PKCS11 application or an administrative tool (like those performing `chown` operations for maintenance), the vulnerable code follows these planted symlinks. Consequently, a token-group user can redirect these root-privileged file operations to arbitrary system files, leading to privilege escalation by modifying ownership of files like `/etc/passwd` or exposing sensitive data. The vulnerability is present because the software fails to verify if a path is a symlink before acting on it in a privileged context. A fix is available in commit `5e6e4b4` but has not been formally released in a new version as of publication .
Platform: Linux/AIX
Version: 2.3.2+
Vulnerability : Symlink Following
Severity: Medium
date: Jan 21 2026

Prediction: March 2026

What Undercode Say:

Analytics:

Check openCryptoki version
pkg-config --modversion opencryptoki
rpm -q openCryptoki RHEL/SUSE
dpkg -l | grep opencryptoki Debian
Check token directory permissions (should not be world/group writable)
ls -ld /var/lib/opencryptoki/
ls -ld /var/lock/opencryptoki/
Audit symlink creation in critical directories (add to audit.rules)
-w /var/lib/opencryptoki/ -p wa -k opencryptoki_token
-a always,exit -F arch=b64 -S symlink -S symlinkat -F dir=/var/lib/opencryptoki/ -k opencryptoki_symlink
Search for current symlinks in token directories
find /var/lib/opencryptoki/ -type l -ls
Check if the fix commit is present in the source (if building from source)
git log | grep "5e6e4b4"

Exploit:

Prerequisite: Attacker must be in the 'pkcs11' token group (example group name)
1. Identify a sensitive file to target (e.g., /etc/shadow)
2. Plant a symlink inside the group-writable token directory
(e.g., for a soft token directory)
ln -s /etc/shadow /var/lib/opencryptoki/softtoken/exploit_symlink
3. Wait for root to run an openCryptoki admin tool that resets ownership.
When the tool accesses /var/lib/opencryptoki/softtoken/exploit_symlink,
it follows the link and chowns /etc/shadow, granting the attacker group
or attacker ownership.

Protection:

Immediate mitigation: Restrict token group membership
List users in the token group (usually 'pkcs11')
grep pkcs11 /etc/group
Remove unauthorized users using: gpasswd -d <username> pkcs11
Apply the patch (manual compile if urgent)
git clone https://github.com/opencryptoki/opencryptoki.git
cd opencryptoki
git checkout 5e6e4b42f2b1fcc1e4ef1b920e463bfa55da8b45
./bootstrap
./configure
make && sudo make install
Wait for official distribution updates (patches now available for SUSE )
zypper patch SUSE
yum update openCryptoki RHEL (when available)
apt update && apt install opencryptoki Debian/Ubuntu (when available)
Implement mandatory access control to restrict following
echo "/var/lib/opencryptoki/. following" >> /etc/apparmor.d/local/usr.sbin.opencryptoki

Impact:

Successful exploitation allows a local attacker with token-group membership to gain root privileges by tricking a privileged process into changing ownership of critical system files (e.g., /etc/shadow, /etc/sudoers, /etc/passwd) to the attacker’s control, leading to full system compromise .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Previous

TP-Link Deco BE25, OS Command Injection, CVE-2026-0654 (Critical)

Scroll to Top