VDB
CVE-2026-32953
CVE-2026-32953
PUBLISHED
CVSS 4.699999809265137 MEDIUM
Tillitis TKey Client package is a Go package for a TKey client. Versions 1.2.0 and below contain a critical bug in the tkeyclient Go module which causes 1 out of every 256 User Supplied Secrets (USS) to be silently ignored, producing the same Compound Device Identifier (CDI)—and thus the same key material—as if no USS is provided. This happens because a buffer index error overwrites the USS-enabled boolean with the first byte of the USS digest, so any USS whose hash starts with 0x00 is effectively discarded. This issue has been fixed in version 1.3.0. Users unable to upgrade immediately should switch to a USS whose hash does not begin with a zero byte.
EPSS 0.01% · 0.8th percentile
Risk Scores
CVSS v4.0
4.699999809265137
CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H
EPSS Score
0.01%
0.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| tillitis | tkeyclient | *, < 1.3.0 |
| github.com | tillitis/tkeyclient | 0, 0 |
Timeline
- Mar 17, 2026 CVE Published
- Mar 18, 2026 Security Advisory
- Mar 20, 2026 CVE Updated
- Mar 20, 2026 EPSS Score
- Mar 20, 2026 PoC Published
- Mar 21, 2026 EPSS Score
- Mar 22, 2026 EPSS Score
- Mar 22, 2026 Coalition ESS Score
- Mar 23, 2026 EPSS Score
- Mar 24, 2026 EPSS Score
- Mar 25, 2026 EPSS Score
- May 18, 2026 EPSS Score
References
- https://github.com/tillitis/tkeyclient/security/advisories/GHSA-4w7r-3222-8h6v url
- https://github.com/tillitis/tkeyclient/commit/4954dccf0287657edf8d405057e134cdff9c59e8 url
- https://github.com/tillitis/tkeyclient/releases/tag/v1.3.0 url
- https://nvd.nist.gov/vuln/detail/CVE-2026-32953 advisory
- https://github.com/tillitis/tkeyclient package