Detections
Analytics

openSUSE 16 Security Update : libsodium (openSUSE-SU-2026:20642-1)

critical Nessus Plugin ID 311766

Synopsis

The remote openSUSE host is missing one or more security updates.

Description

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20642-1 advisory.

 Security fixes:

 - CVE-2025-15444: Cryptographic bypass via improper elliptic curve point validation (bsc#1256070).
 - CVE-2025-69277: incorrect validation of elliptic curve points certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point function (bsc#1255764).

 Other fixes:

 - Update to 1.0.21
 * The new crypto_ipcrypt_* functions implement mechanisms for securely encrypting and anonymizing IP addresses.
 * The sodium_bin2ip and sodium_ip2bin helper functions have been added to complement the crypto_ipcrypt_* functions and easily convert addresses between bytes and strings.
 * XOF: the crypto_xof_shake* and crypto_xof_turboshake* functions are
 * standard extendable output functions. From input of any length, they can derive output of any length with the same properties as hash functions. These primitives are required by many post-quantum mechanisms, but can also be used for a wide range of applications, including key derivation, session encryption and more.
 * Performance of AES256-GCM and AEGIS on ARM has been improved with some compilers
 * Security: optblockers have been introduced in critical code paths to prevent compilers from introducing unwanted side channels via conditional jumps. This was observed on RISC-V targets with specific compilers and options.
 * Security: crypto_core_ed25519_is_valid_point() now properly rejects small-order points that are not in the main subgroup
 * ((nonnull)) attributes have been relaxed on some crypto_stream* functions to allow NULL output buffers when the output length is zero
 * A cross-compilation issue with old clang versions has been fixed
 * crypto_aead_aes256gcm_is_available is exported to JavaScript
 * Security: memory fences have been added after MAC verification in AEAD to prevent speculative access to plaintext before authentication is complete
 * Assembly files now include .gnu.property notes for proper IBT and Shadow Stack support when building with CET instrumentation.

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected libsodium-devel and / or libsodium26 packages.

See Also

https://bugzilla.suse.com/1255764

https://bugzilla.suse.com/1256070

https://www.suse.com/security/cve/CVE-2025-15444

https://www.suse.com/security/cve/CVE-2025-69277

Plugin Details

Severity: Critical

ID: 311766

File Name: openSUSE-2026-20642-1.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 5/2/2026

Updated: 5/2/2026

Supported Sensors: Continuous Assessment, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-15444

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:libsodium-devel, cpe:/o:novell:opensuse:16.0, p-cpe:/a:novell:opensuse:libsodium26

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 4/28/2026

Vulnerability Publication Date: 12/31/2025

Reference Information

CVE: CVE-2025-15444, CVE-2025-69277

IAVA: 2026-A-0014