Vulnerability-Lookup

CVE-2026-32953 (GCVE-0-2026-32953)

Vulnerability from cvelistv5 – Published: 2026-03-20 04:24 – Updated: 2026-03-20 18:08

Title

Tillitis: TKey Client has an Error in Protocol Implementation

Summary

Tillitis TKey Client package is a Go package for a TKey client. Versions 1.2.0 and below contain a critical bug in the tkeyclient Go module which causes 1 out of every 256 User Supplied Secrets (USS) to be silently ignored, producing the same Compound Device Identifier (CDI)—and thus the same key material—as if no USS is provided. This happens because a buffer index error overwrites the USS-enabled boolean with the first byte of the USS digest, so any USS whose hash starts with 0x00 is effectively discarded. This issue has been fixed in version 1.3.0. Users unable to upgrade immediately should switch to a USS whose hash does not begin with a zero byte.

Severity

4.7 (Medium)


                        
                          CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H

CWE

CWE-303 - Incorrect Implementation of Authentication Algorithm

Assigner

GitHub_M

References

3 references

URL	Tags
https://github.com/tillitis/tkeyclient/security/a…	x_refsource_CONFIRM
https://github.com/tillitis/tkeyclient/commit/495…	x_refsource_MISC
https://github.com/tillitis/tkeyclient/releases/t…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
tillitis	tkeyclient	Affected: < 1.3.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-32953",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-20T16:34:24.939980Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-20T18:08:15.041Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "tkeyclient",
          "vendor": "tillitis",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.3.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Tillitis TKey Client package is a Go package for a TKey client. Versions 1.2.0 and below contain a critical bug in the tkeyclient Go module which causes 1 out of every 256 User Supplied Secrets (USS) to be silently ignored, producing the same Compound Device Identifier (CDI)\u2014and thus the same key material\u2014as if no USS is provided. This happens because a buffer index error overwrites the USS-enabled boolean with the first byte of the USS digest, so any USS whose hash starts with 0x00 is effectively discarded. This issue has been fixed in version 1.3.0. Users unable to upgrade immediately should switch to a USS whose hash does not begin with a zero byte."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "PHYSICAL",
            "baseScore": 4.7,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-303",
              "description": "CWE-303: Incorrect Implementation of Authentication Algorithm",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-20T04:24:12.374Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/tillitis/tkeyclient/security/advisories/GHSA-4w7r-3222-8h6v",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/tillitis/tkeyclient/security/advisories/GHSA-4w7r-3222-8h6v"
        },
        {
          "name": "https://github.com/tillitis/tkeyclient/commit/4954dccf0287657edf8d405057e134cdff9c59e8",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/tillitis/tkeyclient/commit/4954dccf0287657edf8d405057e134cdff9c59e8"
        },
        {
          "name": "https://github.com/tillitis/tkeyclient/releases/tag/v1.3.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/tillitis/tkeyclient/releases/tag/v1.3.0"
        }
      ],
      "source": {
        "advisory": "GHSA-4w7r-3222-8h6v",
        "discovery": "UNKNOWN"
      },
      "title": "Tillitis: TKey Client has an Error in Protocol Implementation"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-32953",
    "datePublished": "2026-03-20T04:24:12.374Z",
    "dateReserved": "2026-03-17T00:05:53.285Z",
    "dateUpdated": "2026-03-20T18:08:15.041Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-32953",
      "date": "2026-05-28",
      "epss": "8e-05",
      "percentile": "0.00779"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-32953\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-20T05:16:14.720\",\"lastModified\":\"2026-04-16T13:14:09.187\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Tillitis TKey Client package is a Go package for a TKey client. Versions 1.2.0 and below contain a critical bug in the tkeyclient Go module which causes 1 out of every 256 User Supplied Secrets (USS) to be silently ignored, producing the same Compound Device Identifier (CDI)\u2014and thus the same key material\u2014as if no USS is provided. This happens because a buffer index error overwrites the USS-enabled boolean with the first byte of the USS digest, so any USS whose hash starts with 0x00 is effectively discarded. This issue has been fixed in version 1.3.0. Users unable to upgrade immediately should switch to a USS whose hash does not begin with a zero byte.\"},{\"lang\":\"es\",\"value\":\"El paquete Tillitis TKey Client es un paquete Go para un cliente TKey. Las versiones 1.2.0 e inferiores contienen un error cr\u00edtico en el m\u00f3dulo Go tkeyclient que provoca que 1 de cada 256 Secretos Suministrados por el Usuario (USS) sea ignorado silenciosamente, produciendo el mismo Identificador de Dispositivo Compuesto (CDI) \u2014y por lo tanto el mismo material de clave\u2014 como si no se proporcionara ning\u00fan USS. Esto ocurre porque un error de \u00edndice de b\u00fafer sobrescribe el booleano USS-enabled con el primer byte del resumen del USS, por lo que cualquier USS cuyo hash comience con 0x00 es efectivamente descartado. Este problema ha sido solucionado en la versi\u00f3n 1.3.0. Los usuarios que no puedan actualizar inmediatamente deber\u00edan cambiar a un USS cuyo hash no comience con un byte cero.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":4.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"PHYSICAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":4.6,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"PHYSICAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":0.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-303\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tillitis:tkey_client:*:*:*:*:*:go:*:*\",\"versionEndExcluding\":\"1.3.0\",\"matchCriteriaId\":\"69DA71F2-9C6E-443F-977D-480ED94F7BCB\"}]}]}],\"references\":[{\"url\":\"https://github.com/tillitis/tkeyclient/commit/4954dccf0287657edf8d405057e134cdff9c59e8\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/tillitis/tkeyclient/releases/tag/v1.3.0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/tillitis/tkeyclient/security/advisories/GHSA-4w7r-3222-8h6v\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-32953\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-20T16:34:24.939980Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-20T16:34:32.594Z\"}}], \"cna\": {\"title\": \"Tillitis: TKey Client has an Error in Protocol Implementation\", \"source\": {\"advisory\": \"GHSA-4w7r-3222-8h6v\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 4.7, \"attackVector\": \"PHYSICAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"LOW\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"tillitis\", \"product\": \"tkeyclient\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.3.0\"}]}], \"references\": [{\"url\": \"https://github.com/tillitis/tkeyclient/security/advisories/GHSA-4w7r-3222-8h6v\", \"name\": \"https://github.com/tillitis/tkeyclient/security/advisories/GHSA-4w7r-3222-8h6v\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/tillitis/tkeyclient/commit/4954dccf0287657edf8d405057e134cdff9c59e8\", \"name\": \"https://github.com/tillitis/tkeyclient/commit/4954dccf0287657edf8d405057e134cdff9c59e8\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/tillitis/tkeyclient/releases/tag/v1.3.0\", \"name\": \"https://github.com/tillitis/tkeyclient/releases/tag/v1.3.0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Tillitis TKey Client package is a Go package for a TKey client. Versions 1.2.0 and below contain a critical bug in the tkeyclient Go module which causes 1 out of every 256 User Supplied Secrets (USS) to be silently ignored, producing the same Compound Device Identifier (CDI)\\u2014and thus the same key material\\u2014as if no USS is provided. This happens because a buffer index error overwrites the USS-enabled boolean with the first byte of the USS digest, so any USS whose hash starts with 0x00 is effectively discarded. This issue has been fixed in version 1.3.0. Users unable to upgrade immediately should switch to a USS whose hash does not begin with a zero byte.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-303\", \"description\": \"CWE-303: Incorrect Implementation of Authentication Algorithm\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-20T04:24:12.374Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-32953\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-20T18:08:15.041Z\", \"dateReserved\": \"2026-03-17T00:05:53.285Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-20T04:24:12.374Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-32953

Vulnerability from fkie_nvd - Published: 2026-03-20 05:16 - Updated: 2026-04-16 13:14

Severity

4.6 (Medium) - CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/tillitis/tkeyclient/commit/4954dccf0287657edf8d405057e134cdff9c59e8	Patch
security-advisories@github.com	https://github.com/tillitis/tkeyclient/releases/tag/v1.3.0	Release Notes
security-advisories@github.com	https://github.com/tillitis/tkeyclient/security/advisories/GHSA-4w7r-3222-8h6v	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	tillitis	tkey_client	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:tillitis:tkey_client:*:*:*:*:*:go:*:*",
              "matchCriteriaId": "69DA71F2-9C6E-443F-977D-480ED94F7BCB",
              "versionEndExcluding": "1.3.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Tillitis TKey Client package is a Go package for a TKey client. Versions 1.2.0 and below contain a critical bug in the tkeyclient Go module which causes 1 out of every 256 User Supplied Secrets (USS) to be silently ignored, producing the same Compound Device Identifier (CDI)\u2014and thus the same key material\u2014as if no USS is provided. This happens because a buffer index error overwrites the USS-enabled boolean with the first byte of the USS digest, so any USS whose hash starts with 0x00 is effectively discarded. This issue has been fixed in version 1.3.0. Users unable to upgrade immediately should switch to a USS whose hash does not begin with a zero byte."
    },
    {
      "lang": "es",
      "value": "El paquete Tillitis TKey Client es un paquete Go para un cliente TKey. Las versiones 1.2.0 e inferiores contienen un error cr\u00edtico en el m\u00f3dulo Go tkeyclient que provoca que 1 de cada 256 Secretos Suministrados por el Usuario (USS) sea ignorado silenciosamente, produciendo el mismo Identificador de Dispositivo Compuesto (CDI) \u2014y por lo tanto el mismo material de clave\u2014 como si no se proporcionara ning\u00fan USS. Esto ocurre porque un error de \u00edndice de b\u00fafer sobrescribe el booleano USS-enabled con el primer byte del resumen del USS, por lo que cualquier USS cuyo hash comience con 0x00 es efectivamente descartado. Este problema ha sido solucionado en la versi\u00f3n 1.3.0. Los usuarios que no puedan actualizar inmediatamente deber\u00edan cambiar a un USS cuyo hash no comience con un byte cero."
    }
  ],
  "id": "CVE-2026-32953",
  "lastModified": "2026-04-16T13:14:09.187",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "PHYSICAL",
          "availabilityImpact": "NONE",
          "baseScore": 4.6,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 0.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "PHYSICAL",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 4.7,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "HIGH",
          "subConfidentialityImpact": "HIGH",
          "subIntegrityImpact": "HIGH",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "LOW",
          "vulnConfidentialityImpact": "LOW",
          "vulnIntegrityImpact": "LOW",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-20T05:16:14.720",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/tillitis/tkeyclient/commit/4954dccf0287657edf8d405057e134cdff9c59e8"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/tillitis/tkeyclient/releases/tag/v1.3.0"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/tillitis/tkeyclient/security/advisories/GHSA-4w7r-3222-8h6v"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-303"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-4W7R-3222-8H6V

Vulnerability from github – Published: 2026-03-17 19:42 – Updated: 2026-03-20 21:22

Summary

Tillitis TKey Client has an Error in Protocol Implementation

Details

Impact

Some specific (1 out of 256) User Supplied Secrets (USS) were not used, making the resulting Compound Device Identifier (CDI) the same as if no USS was provided.

Affected client applications: all client apps using the tkeyclient Go module.

Patches

Upgrade to v1.3.0.

NOTE WELL: For the affected end users upgrading an app containing tkeyclient to v1.3.0 means their key material will change. An end user can get their old keys by not entering any USS. Please make sure to communicate this to end users.

Affected users

The steps required to assess whether your USS is vulnerable may vary depending on the client application. The example below shows how to perform the check using tkey-ssh-agent and the known vulnerable USS adl.

Insert the TKey into the client
Run tkey-ssh-agent -p --uss
When prompted for a User Supplied Secret, enter adl
Note the public key and call it pubkey-with-uss
Remove the TKey from the client
Insert the TKey into the client again
Run tkey-ssh-agent -p
Note the public key and call it pubkey-without-uss

Expected behavior: pubkey-with-uss and pubkey-without-uss should not be equal.

Observed behavior: pubkey-with-uss and pubkey-without-uss are equal.

Workaround

We recommend everyone using tkeyclient to update to v1.3.0 and release new versions of the client apps using it.

However, end users that are unable to upgrade to a new version of a client app, the recommendation is to change to an unaffected USS. Include specific instructions for your client app.

Details

When loading the device app an optional 32 bytes USS digest is also sent. The intention is to ask the end user to enter a USS of arbitrary length, hash it, and then send a 32 bytes digest to TKey.

However, there was a bug when sending the digest from the client. The index in the outgoing buffer is wrong and overwrites the boolean defining if the USS is used or not.

This means that if the USS digest begins with a 0, the rest of the digest is not used at all. If it begins with something else, setting the boolean to true, the USS is used.

The exported LoadApp() function calls an internal helper function loadApp() which contains this code:

  if len(secretPhrase) == 0 {
    tx[6] = 0
  } else {
    tx[6] = 1 // Note the 6 here
    // Hash user's phrase as USS
    uss := blake2s.Sum256(secretPhrase)
    copy(tx[6:], uss[:]) // Note that 6 is used again
  }

A side effect of this behavior is that only 31 bytes of the USS are used. This is not considered a security issue, but an option has been added to enforce use of the full USS. See the release notes for details. To avoid forcing all users to roll their keys, this option is disabled by default and must be explicitly enabled.

The fix

The fix focuses on solving the vulnerability only by: 1) use correct index, 2) always use the last 31 bytes of the USS:

  if len(secretPhrase) == 0 {
    tx[6] = 0
  } else {
    tx[6] = 1
    // Hash user's phrase as USS
    uss := blake2s.Sum256(secretPhrase)
    copy(tx[7:], uss[1:])
  }

This change means the key material of affected end users will change compared to earlier versions of tkeyclient. They have the choice of:

Not using a USS and keep their keys.
Keep using their USS and use new generated keys.
Use another USS and thus new keys.

Severity

4.7 (Medium)


                  
                    CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/tillitis/tkeyclient"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32953"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-303"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-17T19:42:31Z",
    "nvd_published_at": "2026-03-20T05:16:14Z",
    "severity": "MODERATE"
  },
  "details": "## Impact\n\nSome specific (1 out of 256) User Supplied Secrets (USS) were not used,\nmaking the resulting Compound Device Identifier (CDI) the same as if no\nUSS was provided.\n\nAffected client applications: all client apps using the\n[tkeyclient](https://github.com/tillitis/tkeyclient) Go module.\n\n## Patches\n\nUpgrade to v1.3.0.\n\n**NOTE WELL**: For the affected end users upgrading an app containing\n`tkeyclient` to v1.3.0 means their key material will change. An end\nuser can get their old keys by not entering any USS. Please make sure\nto communicate this to end users.\n\n## Affected users\n\nThe steps required to assess whether your USS is vulnerable may vary\ndepending on the client application. The example below shows how to\nperform the check using `tkey-ssh-agent` and the known vulnerable USS\n`adl`.\n\n1. Insert the TKey into the client\n2. Run `tkey-ssh-agent -p --uss`\n3. When prompted for a User Supplied Secret, enter `adl`\n4. Note the public key and call it `pubkey-with-uss`\n5. Remove the TKey from the client\n6. Insert the TKey into the client again\n7. Run `tkey-ssh-agent -p`\n8. Note the public key and call it `pubkey-without-uss`\n\nExpected behavior:\n`pubkey-with-uss` and `pubkey-without-uss` should not be equal.\n\nObserved behavior:\n`pubkey-with-uss` and `pubkey-without-uss` are equal.\n\n## Workaround\n\nWe recommend everyone using `tkeyclient` to update to v1.3.0 and\nrelease new versions of the client apps using it.\n\nHowever, end users that are unable to upgrade to a new version of a client\napp, the recommendation is to change to an unaffected USS. Include\nspecific instructions for your client app.\n\n## Details\n\nWhen loading the device app an optional 32 bytes USS digest is also\nsent. The intention is to ask the end user to enter a USS of arbitrary\nlength, hash it, and then send a 32 bytes digest to TKey.\n\nHowever, there was a bug when sending the digest from the client. The\nindex in the outgoing buffer is wrong and overwrites the boolean\ndefining if the USS is used or not.\n\nThis means that if the USS digest begins with a 0, the rest of the\ndigest is not used at all. If it begins with something else, setting\nthe boolean to true, the USS is used.\n\nThe exported `LoadApp()` function calls an internal helper function\n`loadApp()` which contains this code:\n\n```go\n  if len(secretPhrase) == 0 {\n    tx[6] = 0\n  } else {\n    tx[6] = 1 // Note the 6 here\n    // Hash user\u0027s phrase as USS\n    uss := blake2s.Sum256(secretPhrase)\n    copy(tx[6:], uss[:]) // Note that 6 is used again\n  }\n```\n\nA side effect of this behavior is that only 31 bytes of the USS are\nused. This is not considered a security issue, but an option has been\nadded to enforce use of the full USS. See the release notes for\ndetails. To avoid forcing all users to roll their keys, this option is\ndisabled by default and must be explicitly enabled.\n\n### The fix\n\nThe fix focuses on solving the vulnerability only by: 1) use correct\nindex, 2) always use the last 31 bytes of the USS:\n\n```go\n  if len(secretPhrase) == 0 {\n    tx[6] = 0\n  } else {\n    tx[6] = 1\n    // Hash user\u0027s phrase as USS\n    uss := blake2s.Sum256(secretPhrase)\n    copy(tx[7:], uss[1:])\n  }\n```\n\nThis change means the key material of affected end users will change\ncompared to earlier versions of `tkeyclient`. They have the choice of:\n\n1. Not using a USS and keep their keys.\n2. Keep using their USS and use new generated keys.\n3. Use another USS and thus new keys.",
  "id": "GHSA-4w7r-3222-8h6v",
  "modified": "2026-03-20T21:22:09Z",
  "published": "2026-03-17T19:42:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tillitis/tkeyclient/security/advisories/GHSA-4w7r-3222-8h6v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32953"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tillitis/tkeyclient/commit/4954dccf0287657edf8d405057e134cdff9c59e8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tillitis/tkeyclient"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tillitis/tkeyclient/releases/tag/v1.3.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Tillitis TKey Client has an Error in Protocol Implementation"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-32953 (GCVE-0-2026-32953)

FKIE_CVE-2026-32953

GHSA-4W7R-3222-8H6V

Impact

Patches

Affected users

Workaround

Details

The fix

Tags

Sightings

Nomenclature