An update for opencryptoki is now available for openEuler-24.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2026-2165 Final 1.0 1.0 2026-05-03 Initial 2026-05-03 2026-05-03 openEuler SA Tool V1.0 2026-05-03 opencryptoki security update An update for opencryptoki is now available for openEuler-24.03-LTS openCryptoki is an implementation of the PKCS #11 API that allows interfacing to devices that hold cryptographic information and perform cryptographic functions. openCryptoki provides application portability by isolating the application from the details of the cryptographic device. Isolating the application also provides an added level of security. The openCryptoki API provides a standard programming interface between applications and all kinds of portable cryptographic devices. Security Fix(es): openCryptoki is a PKCS#11 library and provides tooling for Linux and AIX. In versions 3.26.0 and below, the BER/DER decoding functions in the shared common library (asn1.c) accept a raw pointer but no buffer length parameter, and trust attacker-controlled BER length fields without validating them against actual buffer boundaries. All primitive decoders are affected: ber_decode_INTEGER, ber_decode_SEQUENCE, ber_decode_OCTET_STRING, ber_decode_BIT_STRING, and ber_decode_CHOICE. Additionally, ber_decode_INTEGER can produce integer underflows when the encoded length is zero. An attacker supplying a malformed BER-encoded cryptographic object through PKCS#11 operations such as C_CreateObject or C_UnwrapKey, token loading from disk, or remote backend communication can trigger out-of-bounds reads. This affects all token backends (Soft, ICA, CCA, TPM, EP11, ICSF) since the vulnerable code is in the shared common library. A patch is available thorugh commit ed378f463ef73364c89feb0fc923f4dc867332a3.(CVE-2026-40253) An update for opencryptoki is now available for master/openEuler-20.03-LTS-SP4/openEuler-22.03-LTS-SP4/openEuler-24.03-LTS/openEuler-24.03-LTS-Next/openEuler-24.03-LTS-SP1/openEuler-24.03-LTS-SP2/openEuler-24.03-LTS-SP3/openEuler-24.03-LTS-SP4. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium opencryptoki https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2165 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-40253 https://nvd.nist.gov/vuln/detail/CVE-2026-40253 openEuler-24.03-LTS opencryptoki-3.26.0-2.oe2403.x86_64.rpm opencryptoki-debuginfo-3.26.0-2.oe2403.x86_64.rpm opencryptoki-debugsource-3.26.0-2.oe2403.x86_64.rpm opencryptoki-devel-3.26.0-2.oe2403.x86_64.rpm opencryptoki-help-3.26.0-2.oe2403.noarch.rpm opencryptoki-3.26.0-2.oe2403.aarch64.rpm opencryptoki-debuginfo-3.26.0-2.oe2403.aarch64.rpm opencryptoki-debugsource-3.26.0-2.oe2403.aarch64.rpm opencryptoki-devel-3.26.0-2.oe2403.aarch64.rpm opencryptoki-3.26.0-2.oe2403.src.rpm openCryptoki is a PKCS#11 library and provides tooling for Linux and AIX. In versions 3.26.0 and below, the BER/DER decoding functions in the shared common library (asn1.c) accept a raw pointer but no buffer length parameter, and trust attacker-controlled BER length fields without validating them against actual buffer boundaries. All primitive decoders are affected: ber_decode_INTEGER, ber_decode_SEQUENCE, ber_decode_OCTET_STRING, ber_decode_BIT_STRING, and ber_decode_CHOICE. Additionally, ber_decode_INTEGER can produce integer underflows when the encoded length is zero. An attacker supplying a malformed BER-encoded cryptographic object through PKCS#11 operations such as C_CreateObject or C_UnwrapKey, token loading from disk, or remote backend communication can trigger out-of-bounds reads. This affects all token backends (Soft, ICA, CCA, TPM, EP11, ICSF) since the vulnerable code is in the shared common library. A patch is available thorugh commit ed378f463ef73364c89feb0fc923f4dc867332a3. 2026-05-03 CVE-2026-40253 openEuler-24.03-LTS Medium 6.8 AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H opencryptoki security update 2026-05-03 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2165