Listen to this Post
openCryptoki, a PKCS11 library for Linux and AIX, versions 2.3.2 and above, contains a vulnerability where it improperly resolves links before file access (CWE-59). The core issue is that token and lock directories are created with group-writable permissions (0770), allowing any member of the token group to plant files or symbolic links. When an administrator runs a privileged PKCS11 application or an administrative tool (like those performing `chown` operations for maintenance), the vulnerable code follows these planted symlinks. Consequently, a token-group user can redirect these root-privileged file operations to arbitrary system files, leading to privilege escalation by modifying ownership of files like `/etc/passwd` or exposing sensitive data. The vulnerability is present because the software fails to verify if a path is a symlink before acting on it in a privileged context. A fix is available in commit `5e6e4b4` but has not been formally released in a new version as of publication .
Platform: Linux/AIX
Version: 2.3.2+
Vulnerability : Symlink Following
Severity: Medium
date: Jan 21 2026
Prediction: March 2026
What Undercode Say:
Analytics:
Check openCryptoki version pkg-config --modversion opencryptoki rpm -q openCryptoki RHEL/SUSE dpkg -l | grep opencryptoki Debian Check token directory permissions (should not be world/group writable) ls -ld /var/lib/opencryptoki/ ls -ld /var/lock/opencryptoki/ Audit symlink creation in critical directories (add to audit.rules) -w /var/lib/opencryptoki/ -p wa -k opencryptoki_token -a always,exit -F arch=b64 -S symlink -S symlinkat -F dir=/var/lib/opencryptoki/ -k opencryptoki_symlink Search for current symlinks in token directories find /var/lib/opencryptoki/ -type l -ls Check if the fix commit is present in the source (if building from source) git log | grep "5e6e4b4"
Exploit:
Prerequisite: Attacker must be in the 'pkcs11' token group (example group name) 1. Identify a sensitive file to target (e.g., /etc/shadow) 2. Plant a symlink inside the group-writable token directory (e.g., for a soft token directory) ln -s /etc/shadow /var/lib/opencryptoki/softtoken/exploit_symlink 3. Wait for root to run an openCryptoki admin tool that resets ownership. When the tool accesses /var/lib/opencryptoki/softtoken/exploit_symlink, it follows the link and chowns /etc/shadow, granting the attacker group or attacker ownership.
Protection:
Immediate mitigation: Restrict token group membership List users in the token group (usually 'pkcs11') grep pkcs11 /etc/group Remove unauthorized users using: gpasswd -d <username> pkcs11 Apply the patch (manual compile if urgent) git clone https://github.com/opencryptoki/opencryptoki.git cd opencryptoki git checkout 5e6e4b42f2b1fcc1e4ef1b920e463bfa55da8b45 ./bootstrap ./configure make && sudo make install Wait for official distribution updates (patches now available for SUSE ) zypper patch SUSE yum update openCryptoki RHEL (when available) apt update && apt install opencryptoki Debian/Ubuntu (when available) Implement mandatory access control to restrict following echo "/var/lib/opencryptoki/. following" >> /etc/apparmor.d/local/usr.sbin.opencryptoki
Impact:
Successful exploitation allows a local attacker with token-group membership to gain root privileges by tricking a privileged process into changing ownership of critical system files (e.g., /etc/shadow, /etc/sudoers, /etc/passwd) to the attacker’s control, leading to full system compromise .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow DailyCVE & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin
TP-Link Deco BE25, OS Command Injection, CVE-2026-0654 (Critical)
