CVE-2026-32953

Tillitis TKey Client package is a Go package for a TKey client. Versions 1.2.0 and below contain a critical bug in the tkeyclient Go module which causes 1 out of every 256 User Supplied Secrets (USS) to be silently ignored, producing the same Compound Device Identifier (CDI)—and thus the same key material—as if no USS is provided. This happens because a buffer index error overwrites the USS-enabled boolean with the first byte of the USS digest, so any USS whose hash starts with 0x00 is effectively discarded. This issue has been fixed in version 1.3.0. Users unable to upgrade immediately should switch to a USS whose hash does not begin with a zero byte.

CVSS v3 4.6 MEDIUM

4.6^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.9 / Impact : 3.6

Attack Vector PHYSICAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/tillitis/tkeyclient/commit/4954dccf0287657edf8d405057e134cdff9c59e8	Patch
https://github.com/tillitis/tkeyclient/releases/tag/v1.3.0	Release Notes
https://github.com/tillitis/tkeyclient/security/advisories/GHSA-4w7r-3222-8h6v	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:tillitis:tkey_client:*:*:*:*:*:go:*:*

History

16 Apr 2026, 13:14

Type	Values Removed	Values Added
CPE		cpe:2.3:a:tillitis:tkey_client::::::go::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.6
References	~~() https://github.com/tillitis/tkeyclient/commit/4954dccf0287657edf8d405057e134cdff9c59e8 -~~	() https://github.com/tillitis/tkeyclient/commit/4954dccf0287657edf8d405057e134cdff9c59e8 - Patch
References	~~() https://github.com/tillitis/tkeyclient/releases/tag/v1.3.0 -~~	() https://github.com/tillitis/tkeyclient/releases/tag/v1.3.0 - Release Notes
References	~~() https://github.com/tillitis/tkeyclient/security/advisories/GHSA-4w7r-3222-8h6v -~~	() https://github.com/tillitis/tkeyclient/security/advisories/GHSA-4w7r-3222-8h6v - Exploit, Vendor Advisory
Summary		(es) El paquete Tillitis TKey Client es un paquete Go para un cliente TKey. Las versiones 1.2.0 e inferiores contienen un error crítico en el módulo Go tkeyclient que provoca que 1 de cada 256 Secretos Suministrados por el Usuario (USS) sea ignorado silenciosamente, produciendo el mismo Identificador de Dispositivo Compuesto (CDI) —y por lo tanto el mismo material de clave— como si no se proporcionara ningún USS. Esto ocurre porque un error de índice de búfer sobrescribe el booleano USS-enabled con el primer byte del resumen del USS, por lo que cualquier USS cuyo hash comience con 0x00 es efectivamente descartado. Este problema ha sido solucionado en la versión 1.3.0. Los usuarios que no puedan actualizar inmediatamente deberían cambiar a un USS cuyo hash no comience con un byte cero.
First Time		Tillitis Tillitis tkey Client
CWE		NVD-CWE-noinfo

20 Mar 2026, 05:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-20 05:16

Updated : 2026-04-16 13:14

NVD link : CVE-2026-32953

Mitre link : CVE-2026-32953

CVE.ORG link : CVE-2026-32953

JSON object : View

Products Affected

tillitis

tkey_client

CWE

CWE-303

Incorrect Implementation of Authentication Algorithm

NVD-CWE-noinfo

4.6 /10