CVE-2026-32953

Name of the Vulnerable Software and Affected Versions Tillitis TKey Client versions 1.2.0 and below Description The Tillitis TKey Client package, a Go package for a TKey client, contains a flaw in the tkeyclient Go module. Approximately 1 out of every 256 User Supplied Secrets (USS) are silently ignored, resulting in the same Compound Device Identifier (CDI) and key material as if no USS was provided. This occurs due to a buffer index error that overwrites the USS-enabled boolean with the first byte of the USS digest, effectively discarding any USS whose hash begins with 0x00. The LoadApp() function calls the internal loadApp() function, which contains the vulnerable code. The issue affects all client applications utilizing the tkeyclient Go module. Recommendations Upgrade to version 1.3.0. For users unable to upgrade immediately, switch to a USS whose hash does not begin with a zero byte.