opencryptoki_project CVE Vulnerabilities & Metrics

Focus on opencryptoki_project vulnerabilities and metrics.

Last updated: 15 Feb 2026, 23:25 UTC

About opencryptoki_project Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with opencryptoki_project. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total opencryptoki_project CVEs: 3
Earliest CVE date: 10 Oct 2012, 18:55 UTC
Latest CVE date: 13 Jan 2026, 19:16 UTC

Latest CVE reference: CVE-2026-22791

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 1

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): -100.0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): -100.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical opencryptoki_project CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 1.82

Max CVSS: 6.2

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	4
4.0-6.9	1
7.0-8.9	0
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS opencryptoki_project CVEs

These are the five CVEs with the highest CVSS scores for opencryptoki_project, sorted by severity first and recency.

CVE-2012-4455 opencryptoki_project Published on 10 Oct 2012, 18:55 UTC (CVSS: 6.2)
openCryptoki 2.4.1 allows local users to create or set world-writable permissions on arbitrary files via a symlink attack on the (1) LCK..opencryptoki or (2) LCK..opencryptoki_stdll file in /var/lock/.
CVE-2012-4454 opencryptoki_project Published on 10 Oct 2012, 18:55 UTC (CVSS: 2.9)
openCryptoki before 2.4.1, when using spinlocks, allows local users to create or set world-writable permissions on arbitrary files via a symlink attack on the (1) .pkapi_xpk or (2) .pkcs11spinloc file in /tmp.
CVE-2026-22791 opencryptoki_project Published on 13 Jan 2026, 19:16 UTC (CVSS: 0)
openCryptoki is a PKCS#11 library and tools for Linux and AIX. In 3.25.0 and 3.26.0, there is a heap buffer overflow vulnerability in the CKM_ECDH_AES_KEY_WRAP implementation allows an attacker with local access to cause out-of-bounds writes in the host process by supplying a compressed EC public key and invoking C_WrapKey. This can lead to heap corruption, or denial-of-service.
CVE-2024-0914 opencryptoki_project Published on 31 Jan 2024, 05:15 UTC (CVSS: 0)
A timing side-channel vulnerability has been discovered in the opencryptoki package while processing RSA PKCS#1 v1.5 padded ciphertexts. This flaw could potentially enable unauthorized RSA ciphertext decryption or signing, even without access to the corresponding private key.
CVE-2021-3798 opencryptoki_project Published on 23 Aug 2022, 16:15 UTC (CVSS: 0)
A flaw was found in openCryptoki. The openCryptoki Soft token does not check if an EC key is valid when an EC key is created via C_CreateObject, nor when C_DeriveKey is used with ECDH public data. This may allow a malicious user to extract the private key by performing an invalid curve attack.

All CVEs for opencryptoki_project

CVE-2026-22791 opencryptoki_project vulnerability CVSS: 0 13 Jan 2026, 19:16 UTC

openCryptoki is a PKCS#11 library and tools for Linux and AIX. In 3.25.0 and 3.26.0, there is a heap buffer overflow vulnerability in the CKM_ECDH_AES_KEY_WRAP implementation allows an attacker with local access to cause out-of-bounds writes in the host process by supplying a compressed EC public key and invoking C_WrapKey. This can lead to heap corruption, or denial-of-service.

CVE-2024-0914 opencryptoki_project vulnerability CVSS: 0 31 Jan 2024, 05:15 UTC

A timing side-channel vulnerability has been discovered in the opencryptoki package while processing RSA PKCS#1 v1.5 padded ciphertexts. This flaw could potentially enable unauthorized RSA ciphertext decryption or signing, even without access to the corresponding private key.

CVE-2021-3798 opencryptoki_project vulnerability CVSS: 0 23 Aug 2022, 16:15 UTC

A flaw was found in openCryptoki. The openCryptoki Soft token does not check if an EC key is valid when an EC key is created via C_CreateObject, nor when C_DeriveKey is used with ECDH public data. This may allow a malicious user to extract the private key by performing an invalid curve attack.

CVE-2012-4455 opencryptoki_project vulnerability CVSS: 6.2 10 Oct 2012, 18:55 UTC

openCryptoki 2.4.1 allows local users to create or set world-writable permissions on arbitrary files via a symlink attack on the (1) LCK..opencryptoki or (2) LCK..opencryptoki_stdll file in /var/lock/.

CVE-2012-4454 opencryptoki_project vulnerability CVSS: 2.9 10 Oct 2012, 18:55 UTC

openCryptoki before 2.4.1, when using spinlocks, allows local users to create or set world-writable permissions on arbitrary files via a symlink attack on the (1) .pkapi_xpk or (2) .pkcs11spinloc file in /tmp.