Detections
Analytics

openSUSE 16 Security Update : openCryptoki (openSUSE-SU-2026:20233-1)

medium Nessus Plugin ID 299146

Synopsis

The remote openSUSE host is missing one or more security updates.

Description

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20233-1 advisory.

 Upgrade openCryptoki to 3.26 (jsc#PED-14609)

 Security fixes:

 - CVE-2026-22791: supplying malformed compressed EC public key can lead to heap corruption or denial-of- service (bsc#1256673).
 - CVE-2026-23893: Privilege Escalation or Data Exposure via Symlink Following (bsc#1257116).

 Other fixes:

 * Soft: Add support for RSA keys up to 16K bits.
 * CCA: Add support for RSA keys up to 8K bits (requires CCA v8.4 or v7.6 or later).
 * p11sak: Add support for generating RSA keys up to 16K bits.
 * Soft/ICA: Add support for SHA512/224 and SHA512/256 key derivation mechanism (CKM_SHA512_224_KEY_DERIVATION and CKM_SHA512_256_KEY_DERIVATION).
 * Soft/ICA/CCA/EP11: Add support for SHA-HMAC key types CKK_SHAxxx_HMAC and key gen mechanisms CKM_SHAxxx_KEY_GEN.
 * p11sak: Add support for SHA-HMAC key types and key generation.
 * p11sak: Add support for key wrap and unwrap commands to export and import private and secret keys by means of key wrapping/unwrapping with various key wrapping mechanism.
 * p11kmip: Add support for using an HSM-protected TLS client key via a PKCS#11 provider.
 * p11sak: Add support for exporting non-sensitive private keys to password protected PEM files.
 * Add support for canceling an operation via NULL mechanism pointer at C_XxxInit() call as an alternative to C_SessionCancel() (PKCS#11 v3.0).
 * EP11: Add support for pairing friendly BLS12-381 EC curve for sign/verify using CKM_IBM_ECDSA_OTHER and signature/public key aggregation using CKM_IBM_EC_AGGREGATE.
 * p11sak: Add support for generating BLS12-381 EC keys.
 * EP11: Add support for IBM-specific ML-DSA and ML-KEM key types and mechanisms (requires an EP11 host library v4.2 or later, and a CEX8P crypto card with firmware v9.6 or later on IBM z17, and v8.39 or later on IBM z16).
 * CCA: Add support for IBM-specific ML-DSA and ML-KEM key types and mechanisms (requires CCA v8.4 or later).
 * Soft: Add support for IBM-specific ML-DSA and ML-KEM key types and mechanisms (requires OpenSSL 3.5 or later, or the OQS-provider must be configured).
 * p11sak: Add support for IBM-specific ML-DSA and ML-KEM key types.
 * Bug fixes.

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected openCryptoki, openCryptoki-64bit and / or openCryptoki-devel packages.

See Also

https://bugzilla.suse.com/1256673

https://bugzilla.suse.com/1257116

https://www.suse.com/security/cve/CVE-2026-22791

https://www.suse.com/security/cve/CVE-2026-23893

Plugin Details

Severity: Medium

ID: 299146

File Name: openSUSE-2026-20233-1.nasl

Version: 1.1

Type: local

Agent: unix

Published: 2/16/2026

Updated: 2/16/2026

Supported Sensors: Continuous Assessment, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.3

CVSS v2

Risk Factor: Medium

Base Score: 5.2

Temporal Score: 4.1

Vector: CVSS2#AV:L/AC:L/Au:S/C:N/I:P/A:C

CVSS Score Source: CVE-2026-22791

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.5

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:novell:opensuse:16.0, p-cpe:/a:novell:opensuse:opencryptoki-64bit, p-cpe:/a:novell:opensuse:opencryptoki, p-cpe:/a:novell:opensuse:opencryptoki-devel

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/13/2026

Vulnerability Publication Date: 1/13/2026

Reference Information

CVE: CVE-2026-22791, CVE-2026-23893