UBUNTU-CVE-2026-32953

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-32953

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-32953.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-32953

Upstream

CVE-2026-32953

Published

2026-03-20T05:16:00Z

Modified

2026-05-20T16:25:23.449439857Z

Severity

4.7 (Medium) CVSS_V4 - CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H CVSS Calculator
4.6 (Medium) CVSS_V3 - CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

Tillitis TKey Client package is a Go package for a TKey client. Versions 1.2.0 and below contain a critical bug in the tkeyclient Go module which causes 1 out of every 256 User Supplied Secrets (USS) to be silently ignored, producing the same Compound Device Identifier (CDI)—and thus the same key material—as if no USS is provided. This happens because a buffer index error overwrites the USS-enabled boolean with the first byte of the USS digest, so any USS whose hash starts with 0x00 is effectively discarded. This issue has been fixed in version 1.3.0. Users unable to upgrade immediately should switch to a USS whose hash does not begin with a zero byte.

References

Affected packages

Ubuntu:25.10 / golang-github-tillitis-tkeyclient

Package

Name: golang-github-tillitis-tkeyclient
Purl: pkg:deb/ubuntu/golang-github-tillitis-tkeyclient?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.1.0-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "golang-github-tillitis-tkeyclient-dev",
            "binary_version": "1.1.0-2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-32953.json"

Ubuntu:26.04:LTS / golang-github-tillitis-tkeyclient