{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-32953", "tracking": { "current_release_date": "2026-03-25T18:13:42.935051Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-32953", "initial_release_date": "2026-03-17T21:00:14.842283Z", "revision_history": [ { "date": "2026-03-17T21:00:14.842283Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (4).| CWES updated (1)." }, { "date": "2026-03-17T21:00:17.619104Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-18T00:43:05.760251Z", "number": "3", "summary": "Source created.| CVE status created. (valid)" }, { "date": "2026-03-19T11:40:25.298885Z", "number": "4", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (4).| CWES updated (1)." }, { "date": "2026-03-20T18:25:50.830499Z", "number": "5", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (3).| CWES updated (1)." }, { "date": "2026-03-20T18:25:55.091938Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-03-20T18:29:41.183914Z", "number": "7", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1)." }, { "date": "2026-03-20T18:29:43.229311Z", "number": "8", "summary": "NCSC Score updated." }, { "date": "2026-03-20T18:39:02.734312Z", "number": "9", "summary": "Unknown change." }, { "date": "2026-03-20T21:41:44.201668Z", "number": "10", "summary": "References created (1)." }, { "date": "2026-03-20T21:59:17.765696Z", "number": "11", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-20T21:59:22.532339Z", "number": "12", "summary": "NCSC Score updated." }, { "date": "2026-03-21T06:43:16.394437Z", "number": "13", "summary": "Description created for source." }, { "date": "2026-03-21T13:47:29.660288Z", "number": "14", "summary": "References removed (1)." }, { "date": "2026-03-22T00:51:55.534572Z", "number": "15", "summary": "References created (1)." }, { "date": "2026-03-22T11:24:57.419724Z", "number": "16", "summary": "References removed (1)." }, { "date": "2026-03-23T00:54:06.399600Z", "number": "17", "summary": "References created (1)." }, { "date": "2026-03-23T05:16:03.273364Z", "number": "18", "summary": "References removed (1)." }, { "date": "2026-03-24T20:56:29.794968Z", "number": "19", "summary": "References created (1)." }, { "date": "2026-03-25T18:13:19.413407Z", "number": "20", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (4).| CWES updated (1)." }, { "date": "2026-03-25T18:13:21.908070Z", "number": "21", "summary": "NCSC Score updated." }, { "date": "2026-03-25T18:13:40.857024Z", "number": "22", "summary": "Source created.| CVE status created. (valid)| Description created for source.| References created (4)." } ], "status": "interim", "version": "22" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<1.3.0", "product": { "name": "vers:unknown/<1.3.0", "product_id": "CSAFPID-5874519" } }, { "category": "product_version_range", "name": "vers:unknown/>=0|<1.3.0", "product": { "name": "vers:unknown/>=0|<1.3.0", "product_id": "CSAFPID-5907248" } } ], "category": "product_name", "name": "tkeyclient" } ], "category": "vendor", "name": "tillitis" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-32953", "cwe": { "id": "CWE-303", "name": "Incorrect Implementation of Authentication Algorithm" }, "notes": [ { "category": "description", "text": "## Impact\n\nSome specific (1 out of 256) User Supplied Secrets (USS) were not used,\nmaking the resulting Compound Device Identifier (CDI) the same as if no\nUSS was provided.\n\nAffected client applications: all client apps using the\n[tkeyclient](https://github.com/tillitis/tkeyclient) Go module.\n\n## Patches\n\nUpgrade to v1.3.0.\n\n**NOTE WELL**: For the affected end users upgrading an app containing\n`tkeyclient` to v1.3.0 means their key material will change. An end\nuser can get their old keys by not entering any USS. Please make sure\nto communicate this to end users.\n\n## Affected users\n\nThe steps required to assess whether your USS is vulnerable may vary\ndepending on the client application. The example below shows how to\nperform the check using `tkey-ssh-agent` and the known vulnerable USS\n`adl`.\n\n1. Insert the TKey into the client\n2. Run `tkey-ssh-agent -p --uss`\n3. When prompted for a User Supplied Secret, enter `adl`\n4. Note the public key and call it `pubkey-with-uss`\n5. Remove the TKey from the client\n6. Insert the TKey into the client again\n7. Run `tkey-ssh-agent -p`\n8. Note the public key and call it `pubkey-without-uss`\n\nExpected behavior:\n`pubkey-with-uss` and `pubkey-without-uss` should not be equal.\n\nObserved behavior:\n`pubkey-with-uss` and `pubkey-without-uss` are equal.\n\n## Workaround\n\nWe recommend everyone using `tkeyclient` to update to v1.3.0 and\nrelease new versions of the client apps using it.\n\nHowever, end users that are unable to upgrade to a new version of a client\napp, the recommendation is to change to an unaffected USS. Include\nspecific instructions for your client app.\n\n## Details\n\nWhen loading the device app an optional 32 bytes USS digest is also\nsent. The intention is to ask the end user to enter a USS of arbitrary\nlength, hash it, and then send a 32 bytes digest to TKey.\n\nHowever, there was a bug when sending the digest from the client. The\nindex in the outgoing buffer is wrong and overwrites the boolean\ndefining if the USS is used or not.\n\nThis means that if the USS digest begins with a 0, the rest of the\ndigest is not used at all. If it begins with something else, setting\nthe boolean to true, the USS is used.\n\nThe exported `LoadApp()` function calls an internal helper function\n`loadApp()` which contains this code:\n\n```go\n if len(secretPhrase) == 0 {\n tx[6] = 0\n } else {\n tx[6] = 1 // Note the 6 here\n // Hash user's phrase as USS\n uss := blake2s.Sum256(secretPhrase)\n copy(tx[6:], uss[:]) // Note that 6 is used again\n }\n```\n\nA side effect of this behavior is that only 31 bytes of the USS are\nused. This is not considered a security issue, but an option has been\nadded to enforce use of the full USS. See the release notes for\ndetails. To avoid forcing all users to roll their keys, this option is\ndisabled by default and must be explicitly enabled.\n\n### The fix\n\nThe fix focuses on solving the vulnerability only by: 1) use correct\nindex, 2) always use the last 31 bytes of the USS:\n\n```go\n if len(secretPhrase) == 0 {\n tx[6] = 0\n } else {\n tx[6] = 1\n // Hash user's phrase as USS\n uss := blake2s.Sum256(secretPhrase)\n copy(tx[7:], uss[1:])\n }\n```\n\nThis change means the key material of affected end users will change\ncompared to earlier versions of `tkeyclient`. They have the choice of:\n\n1. Not using a USS and keep their keys.\n2. Keep using their USS and use new generated keys.\n3. Use another USS and thus new keys.", "title": "github - https://github.com/advisories/GHSA-4w7r-3222-8h6v" }, { "category": "description", "text": "## Impact\n\nSome specific (1 out of 256) User Supplied Secrets (USS) were not used,\nmaking the resulting Compound Device Identifier (CDI) the same as if no\nUSS was provided.\n\nAffected client applications: all client apps using the\n[tkeyclient](https://github.com/tillitis/tkeyclient) Go module.\n\n## Patches\n\nUpgrade to v1.3.0.\n\n**NOTE WELL**: For the affected end users upgrading an app containing\n`tkeyclient` to v1.3.0 means their key material will change. An end\nuser can get their old keys by not entering any USS. Please make sure\nto communicate this to end users.\n\n## Affected users\n\nThe steps required to assess whether your USS is vulnerable may vary\ndepending on the client application. The example below shows how to\nperform the check using `tkey-ssh-agent` and the known vulnerable USS\n`adl`.\n\n1. Insert the TKey into the client\n2. Run `tkey-ssh-agent -p --uss`\n3. When prompted for a User Supplied Secret, enter `adl`\n4. Note the public key and call it `pubkey-with-uss`\n5. Remove the TKey from the client\n6. Insert the TKey into the client again\n7. Run `tkey-ssh-agent -p`\n8. Note the public key and call it `pubkey-without-uss`\n\nExpected behavior:\n`pubkey-with-uss` and `pubkey-without-uss` should not be equal.\n\nObserved behavior:\n`pubkey-with-uss` and `pubkey-without-uss` are equal.\n\n## Workaround\n\nWe recommend everyone using `tkeyclient` to update to v1.3.0 and\nrelease new versions of the client apps using it.\n\nHowever, end users that are unable to upgrade to a new version of a client\napp, the recommendation is to change to an unaffected USS. Include\nspecific instructions for your client app.\n\n## Details\n\nWhen loading the device app an optional 32 bytes USS digest is also\nsent. The intention is to ask the end user to enter a USS of arbitrary\nlength, hash it, and then send a 32 bytes digest to TKey.\n\nHowever, there was a bug when sending the digest from the client. The\nindex in the outgoing buffer is wrong and overwrites the boolean\ndefining if the USS is used or not.\n\nThis means that if the USS digest begins with a 0, the rest of the\ndigest is not used at all. If it begins with something else, setting\nthe boolean to true, the USS is used.\n\nThe exported `LoadApp()` function calls an internal helper function\n`loadApp()` which contains this code:\n\n```go\n if len(secretPhrase) == 0 {\n tx[6] = 0\n } else {\n tx[6] = 1 // Note the 6 here\n // Hash user's phrase as USS\n uss := blake2s.Sum256(secretPhrase)\n copy(tx[6:], uss[:]) // Note that 6 is used again\n }\n```\n\nA side effect of this behavior is that only 31 bytes of the USS are\nused. This is not considered a security issue, but an option has been\nadded to enforce use of the full USS. See the release notes for\ndetails. To avoid forcing all users to roll their keys, this option is\ndisabled by default and must be explicitly enabled.\n\n### The fix\n\nThe fix focuses on solving the vulnerability only by: 1) use correct\nindex, 2) always use the last 31 bytes of the USS:\n\n```go\n if len(secretPhrase) == 0 {\n tx[6] = 0\n } else {\n tx[6] = 1\n // Hash user's phrase as USS\n uss := blake2s.Sum256(secretPhrase)\n copy(tx[7:], uss[1:])\n }\n```\n\nThis change means the key material of affected end users will change\ncompared to earlier versions of `tkeyclient`. They have the choice of:\n\n1. Not using a USS and keep their keys.\n2. Keep using their USS and use new generated keys.\n3. Use another USS and thus new keys.", "title": "github - https://api.github.com/advisories/GHSA-4w7r-3222-8h6v" }, { "category": "description", "text": "Tillitis TKey Client package is a Go package for a TKey client. Versions 1.2.0 and below contain a critical bug in the tkeyclient Go module which causes 1 out of every 256 User Supplied Secrets (USS) to be silently ignored, producing the same Compound Device Identifier (CDI)—and thus the same key material—as if no USS is provided. This happens because a buffer index error overwrites the USS-enabled boolean with the first byte of the USS digest, so any USS whose hash starts with 0x00 is effectively discarded. This issue has been fixed in version 1.3.0. Users unable to upgrade immediately should switch to a USS whose hash does not begin with a zero byte.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/32xxx/CVE-2026-32953.json" }, { "category": "description", "text": "Tillitis TKey Client package is a Go package for a TKey client. Versions 1.2.0 and below contain a critical bug in the tkeyclient Go module which causes 1 out of every 256 User Supplied Secrets (USS) to be silently ignored, producing the same Compound Device Identifier (CDI)—and thus the same key material—as if no USS is provided. This happens because a buffer index error overwrites the USS-enabled boolean with the first byte of the USS digest, so any USS whose hash starts with 0x00 is effectively discarded. This issue has been fixed in version 1.3.0. Users unable to upgrade immediately should switch to a USS whose hash does not begin with a zero byte.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-32953" }, { "category": "description", "text": "Tillitis TKey Client package is a Go package for a TKey client. Versions 1.2.0 and below contain a critical bug in the tkeyclient Go module which causes 1 out of every 256 User Supplied Secrets (USS) to be silently ignored, producing the same Compound Device Identifier (CDI)—and thus the same key material—as if no USS is provided. This happens because a buffer index error overwrites the USS-enabled boolean with the first byte of the USS digest, so any USS whose hash starts with 0x00 is effectively discarded. This issue has been fixed in version 1.3.0. Users unable to upgrade immediately should switch to a USS whose hash does not begin with a zero byte.", "title": "debian - https://security-tracker.debian.org/tracker/CVE-2026-32953" }, { "category": "description", "text": "## Impact\n\nSome specific (1 out of 256) User Supplied Secrets (USS) were not used,\nmaking the resulting Compound Device Identifier (CDI) the same as if no\nUSS was provided.\n\nAffected client applications: all client apps using the\n[tkeyclient](https://github.com/tillitis/tkeyclient) Go module.\n\n## Patches\n\nUpgrade to v1.3.0.\n\n**NOTE WELL**: For the affected end users upgrading an app containing\n`tkeyclient` to v1.3.0 means their key material will change. An end\nuser can get their old keys by not entering any USS. Please make sure\nto communicate this to end users.\n\n## Affected users\n\nThe steps required to assess whether your USS is vulnerable may vary\ndepending on the client application. The example below shows how to\nperform the check using `tkey-ssh-agent` and the known vulnerable USS\n`adl`.\n\n1. Insert the TKey into the client\n2. Run `tkey-ssh-agent -p --uss`\n3. When prompted for a User Supplied Secret, enter `adl`\n4. Note the public key and call it `pubkey-with-uss`\n5. Remove the TKey from the client\n6. Insert the TKey into the client again\n7. Run `tkey-ssh-agent -p`\n8. Note the public key and call it `pubkey-without-uss`\n\nExpected behavior:\n`pubkey-with-uss` and `pubkey-without-uss` should not be equal.\n\nObserved behavior:\n`pubkey-with-uss` and `pubkey-without-uss` are equal.\n\n## Workaround\n\nWe recommend everyone using `tkeyclient` to update to v1.3.0 and\nrelease new versions of the client apps using it.\n\nHowever, end users that are unable to upgrade to a new version of a client\napp, the recommendation is to change to an unaffected USS. Include\nspecific instructions for your client app.\n\n## Details\n\nWhen loading the device app an optional 32 bytes USS digest is also\nsent. The intention is to ask the end user to enter a USS of arbitrary\nlength, hash it, and then send a 32 bytes digest to TKey.\n\nHowever, there was a bug when sending the digest from the client. The\nindex in the outgoing buffer is wrong and overwrites the boolean\ndefining if the USS is used or not.\n\nThis means that if the USS digest begins with a 0, the rest of the\ndigest is not used at all. If it begins with something else, setting\nthe boolean to true, the USS is used.\n\nThe exported `LoadApp()` function calls an internal helper function\n`loadApp()` which contains this code:\n\n```go\n if len(secretPhrase) == 0 {\n tx[6] = 0\n } else {\n tx[6] = 1 // Note the 6 here\n // Hash user's phrase as USS\n uss := blake2s.Sum256(secretPhrase)\n copy(tx[6:], uss[:]) // Note that 6 is used again\n }\n```\n\nA side effect of this behavior is that only 31 bytes of the USS are\nused. This is not considered a security issue, but an option has been\nadded to enforce use of the full USS. See the release notes for\ndetails. To avoid forcing all users to roll their keys, this option is\ndisabled by default and must be explicitly enabled.\n\n### The fix\n\nThe fix focuses on solving the vulnerability only by: 1) use correct\nindex, 2) always use the last 31 bytes of the USS:\n\n```go\n if len(secretPhrase) == 0 {\n tx[6] = 0\n } else {\n tx[6] = 1\n // Hash user's phrase as USS\n uss := blake2s.Sum256(secretPhrase)\n copy(tx[7:], uss[1:])\n }\n```\n\nThis change means the key material of affected end users will change\ncompared to earlier versions of `tkeyclient`. They have the choice of:\n\n1. Not using a USS and keep their keys.\n2. Keep using their USS and use new generated keys.\n3. Use another USS and thus new keys.", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-4w7r-3222-8h6v.json?alt=media" }, { "category": "description", "text": "Tillitis TKey Client has an Error in Protocol Implementation in github.com/tillitis/tkeyclient", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGO-2026-4728.json?alt=media" }, { "category": "other", "text": "0.00016", "title": "EPSS" }, { "category": "other", "text": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H", "title": "CVSSV4" }, { "category": "other", "text": "4.7", "title": "CVSSV4 base score" }, { "category": "other", "text": "3.7", "title": "NCSC Score" }, { "category": "other", "text": "There is cwe data available from source Nvd, The value of the most recent EPSS score, The value of the most recent CVSS (V3) score", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5874519", "CSAFPID-5907248" ] }, "references": [ { "category": "external", "summary": "Source - github", "url": "https://github.com/advisories/GHSA-4w7r-3222-8h6v" }, { "category": "external", "summary": "Source raw - github", "url": "https://api.github.com/advisories/GHSA-4w7r-3222-8h6v" }, { "category": "external", "summary": "Source - debian", "url": "https://security-tracker.debian.org/tracker/CVE-2026-32953" }, { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-4w7r-3222-8h6v" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/32xxx/CVE-2026-32953.json" }, { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-32953" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-4w7r-3222-8h6v.json?alt=media" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGO-2026-4728.json?alt=media" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/tillitis/tkeyclient/security/advisories/GHSA-4w7r-3222-8h6v" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/tillitis/tkeyclient/commit/4954dccf0287657edf8d405057e134cdff9c59e8" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/tillitis/tkeyclient/releases/tag/v1.3.0" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-4w7r-3222-8h6v" }, { "category": "external", "summary": "Reference - github; osv", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32953" } ], "title": "CVE-2026-32953" } ] }