openSUSE 16 Security Update : openCryptoki (openSUSE-SU-2026:21059-1)

medium Nessus Plugin ID 324065

Synopsis

The remote openSUSE host is missing one or more security updates.

Description

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:21059-1 advisory.

This update for openCryptoki fixes the following issues

Upgrade openCryptoki to version 3.27 (jsc#PED-14609):

* Add base support for PKCS#11 v3.2.
* Add support for PKCS#11 v3.2 C_VerifySignature[Init|Update|Final].
* Add support for PKCS#11 v3.2 C_EncapsulateKey/C_DecapsulateKey.
* Soft/ICA/CCA/EP11: Add support for PKCS#11 v3.2 en-/decapsulate with RSA-PKCS and RSA-OAEP mechanisms.
* Soft/ICA/CCA/EP11: Add support for PKCS#11 v3.2 en-/decapsulate with the ECDH mechanism.
* Soft/EP11: Add support for PKCS#11 v3.2 en-/decapsulate with the DH-PKCS mechanism.
* Soft: Add support for PKCS#11 v3.2 ML-DSA and ML-KEM key types and mechanisms (requires OpenSSL 3.5 or later, or the OQS-provider must be configured).
* CCA: Add support for PKCS#11 v3.2 ML-DSA key type and mechanisms (requires CCA v8.4 or later)
* EP11: Add support for PKCS#11 v3.2 ML-DSA and ML-KEM key types and mechanisms (requires an EP11 host library v4.2 or later, and a CEX8P crypto card with firmware v9.6 or later on IBM z17, and v8.39 or later on IBM z16).
* p11sak: Add support for PKCS#11 v3.2 ML-DSA and ML-KEM key types.
* Soft/ICA: Add support for PKCS#11 v3.2 mechanisms CKM_ECDH_X_AES_KEY_WRAP and CKM_ECDH_COF_AES_KEY_WRAP.
* p11sak: Add support for key wrapping with PKCS#11 v3.2 mechanisms CKM_ECDH_X_AES_KEY_WRAP and CKM_ECDH_COF_AES_KEY_WRAP.
* Soft/ICA/CCA/EP11: Add support for PKCS#11 v3.2 mechanism CKM_PUB_KEY_FROM_PRIV_KEY.
* Soft/ICA/CCA/EP11: Add support for PKCS#11 v3.0 Edwards and Montgomery key types and mechanisms.
* Soft/ICA: Support CKM_ECDH_AES_KEY_WRAP also for Montgomery keys.
* p11sak: Add support for PKCS#11 v3.0 Edwards and Montgomery key types.
* Soft: Add support for CKM_ECDH1_COFACTOR_DERIVE.
* CCA: Add support for additional RSA public exponent values 5, 17, or 257.
* p11sak: Add option to list-key command to show EP11 session IDs.
* Make the maximum number of token objects supported configurable.
* Fixes for CVE-2026-40253, CVE-2026-23893, and CVE-2026-22791.
* Bug fixes.

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected openCryptoki, openCryptoki-64bit and / or openCryptoki-devel packages.

See Also

https://bugzilla.suse.com/1268745

https://www.suse.com/security/cve/CVE-2026-22791

https://www.suse.com/security/cve/CVE-2026-23893

https://www.suse.com/security/cve/CVE-2026-40253

Plugin Details

Severity: Medium

ID: 324065

File Name: openSUSE-2026-21059-1.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 7/1/2026

Updated: 7/1/2026

Supported Sensors: Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.5

Percentile: 57.42

CVSS v2

Risk Factor: Medium

Base Score: 5.6

Temporal Score: 4.4

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:C

CVSS Score Source: CVE-2026-40253

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.5

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:novell:opensuse:16.0, p-cpe:/a:novell:opensuse:opencryptoki-64bit, p-cpe:/a:novell:opensuse:opencryptoki, p-cpe:/a:novell:opensuse:opencryptoki-devel

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/25/2026

Vulnerability Publication Date: 1/13/2026

Reference Information

CVE: CVE-2026-22791, CVE-2026-23893, CVE-2026-40253