SUSE-SU-2026:21754-1
Vulnerability from csaf_suse - Published: 2026-05-19 17:23 - Updated: 2026-05-19 17:23Summary
Security update for leancrypto
Severity
Moderate
Notes
Title of the patch: Security update for leancrypto
Description of the patch: This update for leancrypto fixes the following issues
Security issue:
- CVE-2026-34610: The leancrypto library is a cryptographic library that exclusively contains only PQC-resistant
cryptographic algorithms. Prior to version 1.7.1, lc_x509_extract_name_segment() casts size_t vlen to uint8_t when
stori (bsc#1261382).
Non security issues:
- gnutls Illegal instruction lc_kyber_768_kem_dec_selftest (bsc#1253654).
- gnutls: test pqc-hybrid-kx fails on Nehalem or older CPU (bsc#1254370).
Changes for leancrypto:
- Calculate the FIPS HMAC for the leancrypto and the leancrypto-fips
libraries. (bsc#1262399)
- Fix build on kernel 7.0
- Pick fix for ABI issue in AVX2 assembly for Curve448 causing
test failures when building with GCC 16.
- Update to 1.7.2:
* Fix RDSEED counter
* Process code by AI code checkers and apply suggested cosmetic fixes
* Heap memory: always munlock all mlock'ed memory
* Fix ChaCha20 on Apple compiled with XCode 26.4
* Fix a potential crasher with Base64 and applied various fixes reported
* Add X.509 certificate signing request (CSR) generator and parser
* ML-DSA: add lc_dilithium_pk_from_sk API to derive the PK from a given SK
* SLH-DSA: add lc_sphincs_pk_from_sk API to derive the PK from a given SK
* ML-KEM: add lc_kyber_pk_from_sk API to derive the PK from a given SK
* AES-CT: fix non-aligned data processing - reported
* Apply suggestions from Claude code
* X.509: Enforce path length restriction
- Update to 1.7.1
* Offer a means to select the AES-C constant time / S-Box implementation via
lc_init API
* use the AES-C constant time implementation by default - it is about 3 times
slower than the AES-C S-Box implementation, but more secure. As the
leancrypto library is about secure by default, the CT implementation is
just right. Furthermore, if a caller wants to have the faster AES-C S-Box,
he can call lc_init(LC_INIT_AES_SBOX) at the beginning.
* FIPS: mark only seeded DRBG instances as FIPS-approved
* ASN.1: add lc_x509_cert_check_issuer_ca convenience function
* Enable side-channel-resistant AES implementation (and thus enable
respective Timecop tests)
* Fix some side channel test failures (all failures are due to test case
issues, and no real problems)
* AARCH64: enable GCS support
* Add PKCS#8 support for ML-DSA following RFC9881 including full support for
the seed or full keys. The change adds OpenSSL interoperability testing as
well. NOTE: The raw on-disk private key format that is generated with
lc_x509_generate --create-keypair changed to comply with RFC9881.
* Add PKCS#8 support for SLH-DSA. The change adds OpenSSL interoperability
testing as well. NOTE: The raw on-disk private key format that is generated
with lc_x509_generate --create-keypair changed to dump the raw key instead
of wrapping it into a BIT STRING to comply with OpenSSL's format.
* Provide full PKCS#7 interoperability with OpenSSL: OpenSSL artificially
orders the parsing of the authenticated attributes. This implies that the
message digest part of the authenticated attributes is parsed as last
entry. This ordering is important for the signature generation and
verification. Furthermore, for ML-DSA/SLH-DSA, the authenticated attributes
are signed with the pure algorithm instead of the pre-hashed operation as
suggested by RFC5652 section 9.2.
* ML-KEM/DSA: add safety measures against compilers trying to reason about
code they should not reason about. Derived from
https://github.com/pq-code-package/ml[dsa|kem]-native/
* ML-DSA: reduce amount of duplicate code compilation suggested
* ML-DSA: fix bug in poly_uniform which, however, is unlikely to be triggered
* ChaCha20: fix crasher when assembler support is not compiled
* Add AES constant time C implementation accessible with the lc_aes_*ct
references. Yet, it is about 3 times slower than the default C
implementation. Thus is is only provided if somebody truly relies on a
constant time implementation.
- Fix bsc#1254370, bsc#1253654 - AVX detection is wrong on older intel CPUs
- Update to 1.6.0:
* ASN.1: use stack for small generator for small use cases
* X.509: Updates required to support the shim boot loader
* X.509: add lc_gmtime to convert Epoch to time format
* ASN.1: added to Linux kernel (for 64 bit systems only)
* Added AES-GCM and AES-XTS
* Availability: remove assert() calls throughout the code - in case of a self
test error, disable the algorithm. Instead of using assert, apply a centrally
managed test manager that stores the test status. This implies that some
initalization APIs like lc_hash_init, lc_sym_init, lc_hmac_init are changed
such that they return an error code if self tests failed. Thus, the version
is now changed as this is considered to be an ABI change. Although this
sounds heavy, the test manager is relatively small and the runtime state
should be smaller than the old approach considering the old approach uses one
global 32 bit integer per self test to maintain the state. This is now
replaced with a set of 32 bit atomic integers that hold a 3-bit field for
each algorithm. This change also adds the API call of lc_rerun_one_selftest
which allows triggering the reruning of a self test for one given algorithm.
* FIPS: Rearchitect integrity test control value generator: The build process now
uses the host's objcopy to extract the ELF sections of interest into a separate
file, use a build_machine compiled version of sha3-256sum to generate the
digest of it and reinsert it into the leancrypto-fips.so. This now allows
cross-compilation with FIPS integrity test support. There is no functional
change to leancrypto though.
* Significant reduction of compilation units by almost half by not having
global, but per-test compiled C files.
* Linux kernel: add /proc/leancrypto
* FIPS: Add negative testing support
* Add SHAKE-512 and XDRBG-512 support
* FIPS: Add FIPS indicator which implies that libleancrypto.so has the same
functionality as libleancrypto-fips.so with the exception that the latter
performs an integrity test.
* ARMv9: fix BTI for ML-DSA
- Don't strip debug symbols
- Add Linux kernel module spec file
Patchnames: SUSE-SL-Micro-6.2-789
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.9 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Micro 6.2:libleancrypto1-1.7.2-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.2:libleancrypto1-1.7.2-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.2:libleancrypto1-1.7.2-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.2:libleancrypto1-1.7.2-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
11 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for leancrypto",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for leancrypto fixes the following issues\n\nSecurity issue:\n\n- CVE-2026-34610: The leancrypto library is a cryptographic library that exclusively contains only PQC-resistant\n cryptographic algorithms. Prior to version 1.7.1, lc_x509_extract_name_segment() casts size_t vlen to uint8_t when\n stori (bsc#1261382).\n\nNon security issues:\n\n- gnutls Illegal instruction lc_kyber_768_kem_dec_selftest (bsc#1253654).\n- gnutls: test pqc-hybrid-kx fails on Nehalem or older CPU (bsc#1254370).\n\nChanges for leancrypto:\n\n- Calculate the FIPS HMAC for the leancrypto and the leancrypto-fips\n libraries. (bsc#1262399)\n- Fix build on kernel 7.0\n- Pick fix for ABI issue in AVX2 assembly for Curve448 causing\n test failures when building with GCC 16.\n- Update to 1.7.2:\n * Fix RDSEED counter\n * Process code by AI code checkers and apply suggested cosmetic fixes\n * Heap memory: always munlock all mlock\u0027ed memory\n * Fix ChaCha20 on Apple compiled with XCode 26.4\n * Fix a potential crasher with Base64 and applied various fixes reported\n * Add X.509 certificate signing request (CSR) generator and parser\n * ML-DSA: add lc_dilithium_pk_from_sk API to derive the PK from a given SK\n * SLH-DSA: add lc_sphincs_pk_from_sk API to derive the PK from a given SK\n * ML-KEM: add lc_kyber_pk_from_sk API to derive the PK from a given SK\n * AES-CT: fix non-aligned data processing - reported\n * Apply suggestions from Claude code\n * X.509: Enforce path length restriction\n- Update to 1.7.1\n * Offer a means to select the AES-C constant time / S-Box implementation via\n lc_init API\n * use the AES-C constant time implementation by default - it is about 3 times\n slower than the AES-C S-Box implementation, but more secure. As the\n leancrypto library is about secure by default, the CT implementation is\n just right. Furthermore, if a caller wants to have the faster AES-C S-Box,\n he can call lc_init(LC_INIT_AES_SBOX) at the beginning.\n * FIPS: mark only seeded DRBG instances as FIPS-approved\n * ASN.1: add lc_x509_cert_check_issuer_ca convenience function\n * Enable side-channel-resistant AES implementation (and thus enable\n respective Timecop tests)\n * Fix some side channel test failures (all failures are due to test case\n issues, and no real problems)\n * AARCH64: enable GCS support\n * Add PKCS#8 support for ML-DSA following RFC9881 including full support for\n the seed or full keys. The change adds OpenSSL interoperability testing as\n well. NOTE: The raw on-disk private key format that is generated with\n lc_x509_generate --create-keypair changed to comply with RFC9881.\n * Add PKCS#8 support for SLH-DSA. The change adds OpenSSL interoperability\n testing as well. NOTE: The raw on-disk private key format that is generated\n with lc_x509_generate --create-keypair changed to dump the raw key instead\n of wrapping it into a BIT STRING to comply with OpenSSL\u0027s format.\n * Provide full PKCS#7 interoperability with OpenSSL: OpenSSL artificially\n orders the parsing of the authenticated attributes. This implies that the\n message digest part of the authenticated attributes is parsed as last\n entry. This ordering is important for the signature generation and\n verification. Furthermore, for ML-DSA/SLH-DSA, the authenticated attributes\n are signed with the pure algorithm instead of the pre-hashed operation as\n suggested by RFC5652 section 9.2.\n * ML-KEM/DSA: add safety measures against compilers trying to reason about\n code they should not reason about. Derived from\n https://github.com/pq-code-package/ml[dsa|kem]-native/\n * ML-DSA: reduce amount of duplicate code compilation suggested\n * ML-DSA: fix bug in poly_uniform which, however, is unlikely to be triggered\n * ChaCha20: fix crasher when assembler support is not compiled\n * Add AES constant time C implementation accessible with the lc_aes_*ct\n references. Yet, it is about 3 times slower than the default C\n implementation. Thus is is only provided if somebody truly relies on a\n constant time implementation.\n- Fix bsc#1254370, bsc#1253654 - AVX detection is wrong on older intel CPUs\n- Update to 1.6.0:\n * ASN.1: use stack for small generator for small use cases\n * X.509: Updates required to support the shim boot loader\n * X.509: add lc_gmtime to convert Epoch to time format\n * ASN.1: added to Linux kernel (for 64 bit systems only)\n * Added AES-GCM and AES-XTS\n * Availability: remove assert() calls throughout the code - in case of a self\n test error, disable the algorithm. Instead of using assert, apply a centrally\n managed test manager that stores the test status. This implies that some\n initalization APIs like lc_hash_init, lc_sym_init, lc_hmac_init are changed\n such that they return an error code if self tests failed. Thus, the version\n is now changed as this is considered to be an ABI change. Although this\n sounds heavy, the test manager is relatively small and the runtime state\n should be smaller than the old approach considering the old approach uses one\n global 32 bit integer per self test to maintain the state. This is now\n replaced with a set of 32 bit atomic integers that hold a 3-bit field for\n each algorithm. This change also adds the API call of lc_rerun_one_selftest\n which allows triggering the reruning of a self test for one given algorithm.\n * FIPS: Rearchitect integrity test control value generator: The build process now\n uses the host\u0027s objcopy to extract the ELF sections of interest into a separate\n file, use a build_machine compiled version of sha3-256sum to generate the\n digest of it and reinsert it into the leancrypto-fips.so. This now allows\n cross-compilation with FIPS integrity test support. There is no functional\n change to leancrypto though.\n * Significant reduction of compilation units by almost half by not having\n global, but per-test compiled C files.\n * Linux kernel: add /proc/leancrypto\n * FIPS: Add negative testing support\n * Add SHAKE-512 and XDRBG-512 support\n * FIPS: Add FIPS indicator which implies that libleancrypto.so has the same\n functionality as libleancrypto-fips.so with the exception that the latter\n performs an integrity test.\n * ARMv9: fix BTI for ML-DSA\n- Don\u0027t strip debug symbols\n- Add Linux kernel module spec file\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SL-Micro-6.2-789",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21754-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:21754-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621754-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:21754-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-May/046762.html"
},
{
"category": "self",
"summary": "SUSE Bug 1253654",
"url": "https://bugzilla.suse.com/1253654"
},
{
"category": "self",
"summary": "SUSE Bug 1254370",
"url": "https://bugzilla.suse.com/1254370"
},
{
"category": "self",
"summary": "SUSE Bug 1261382",
"url": "https://bugzilla.suse.com/1261382"
},
{
"category": "self",
"summary": "SUSE Bug 1262399",
"url": "https://bugzilla.suse.com/1262399"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-34610 page",
"url": "https://www.suse.com/security/cve/CVE-2026-34610/"
}
],
"title": "Security update for leancrypto",
"tracking": {
"current_release_date": "2026-05-19T17:23:48Z",
"generator": {
"date": "2026-05-19T17:23:48Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:21754-1",
"initial_release_date": "2026-05-19T17:23:48Z",
"revision_history": [
{
"date": "2026-05-19T17:23:48Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "libleancrypto1-1.7.2-160000.1.1.aarch64",
"product": {
"name": "libleancrypto1-1.7.2-160000.1.1.aarch64",
"product_id": "libleancrypto1-1.7.2-160000.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "libleancrypto1-1.7.2-160000.1.1.ppc64le",
"product": {
"name": "libleancrypto1-1.7.2-160000.1.1.ppc64le",
"product_id": "libleancrypto1-1.7.2-160000.1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "libleancrypto1-1.7.2-160000.1.1.s390x",
"product": {
"name": "libleancrypto1-1.7.2-160000.1.1.s390x",
"product_id": "libleancrypto1-1.7.2-160000.1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "libleancrypto1-1.7.2-160000.1.1.x86_64",
"product": {
"name": "libleancrypto1-1.7.2-160000.1.1.x86_64",
"product_id": "libleancrypto1-1.7.2-160000.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Micro 6.2",
"product": {
"name": "SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sl-micro:6.2"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "libleancrypto1-1.7.2-160000.1.1.aarch64 as component of SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2:libleancrypto1-1.7.2-160000.1.1.aarch64"
},
"product_reference": "libleancrypto1-1.7.2-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Micro 6.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libleancrypto1-1.7.2-160000.1.1.ppc64le as component of SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2:libleancrypto1-1.7.2-160000.1.1.ppc64le"
},
"product_reference": "libleancrypto1-1.7.2-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Micro 6.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libleancrypto1-1.7.2-160000.1.1.s390x as component of SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2:libleancrypto1-1.7.2-160000.1.1.s390x"
},
"product_reference": "libleancrypto1-1.7.2-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Micro 6.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libleancrypto1-1.7.2-160000.1.1.x86_64 as component of SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2:libleancrypto1-1.7.2-160000.1.1.x86_64"
},
"product_reference": "libleancrypto1-1.7.2-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Micro 6.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-34610",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-34610"
}
],
"notes": [
{
"category": "general",
"text": "The leancrypto library is a cryptographic library that exclusively contains only PQC-resistant cryptographic algorithms. Prior to version 1.7.1, lc_x509_extract_name_segment() casts size_t vlen to uint8_t when storing the Common Name (CN) length. An attacker who crafts a certificate with CN = victim\u0027s CN + 256 bytes padding gets cn_size = (uint8_t)(256 + N) = N, where N is the victim\u0027s CN length. The first N bytes of the attacker\u0027s CN are the victim\u0027s identity. After parsing, the attacker\u0027s certificate has an identical CN to the victim\u0027s - enabling identity impersonation in PKCS#7 verification, certificate chain matching, and code signing. This issue has been patched in version 1.7.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.2:libleancrypto1-1.7.2-160000.1.1.aarch64",
"SUSE Linux Micro 6.2:libleancrypto1-1.7.2-160000.1.1.ppc64le",
"SUSE Linux Micro 6.2:libleancrypto1-1.7.2-160000.1.1.s390x",
"SUSE Linux Micro 6.2:libleancrypto1-1.7.2-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-34610",
"url": "https://www.suse.com/security/cve/CVE-2026-34610"
},
{
"category": "external",
"summary": "SUSE Bug 1261382 for CVE-2026-34610",
"url": "https://bugzilla.suse.com/1261382"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.2:libleancrypto1-1.7.2-160000.1.1.aarch64",
"SUSE Linux Micro 6.2:libleancrypto1-1.7.2-160000.1.1.ppc64le",
"SUSE Linux Micro 6.2:libleancrypto1-1.7.2-160000.1.1.s390x",
"SUSE Linux Micro 6.2:libleancrypto1-1.7.2-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.2:libleancrypto1-1.7.2-160000.1.1.aarch64",
"SUSE Linux Micro 6.2:libleancrypto1-1.7.2-160000.1.1.ppc64le",
"SUSE Linux Micro 6.2:libleancrypto1-1.7.2-160000.1.1.s390x",
"SUSE Linux Micro 6.2:libleancrypto1-1.7.2-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-19T17:23:48Z",
"details": "moderate"
}
],
"title": "CVE-2026-34610"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…