SUSE-SU-2026:2777-1: moderate: Security update for cryptsetup, s390-tools

SLE-UPDATES null at suse.de
Mon Jul 6 16:35:39 UTC 2026


# Security update for cryptsetup, s390-tools

Announcement ID: SUSE-SU-2026:2777-1  
Release Date: 2026-07-06T08:57:17Z  
Rating: moderate  
References:

  * bsc#1241612
  * bsc#1259314
  * bsc#1261813
  * bsc#1270185
  * jsc#PED-14586
  * jsc#PED-15860
  * jsc#PED-15889

  
Cross-References:

  * CVE-2026-41676

  
CVSS scores:

  * CVE-2026-41676 ( SUSE ):  8.3
    CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N
  * CVE-2026-41676 ( SUSE ):  6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
  * CVE-2026-41676 ( NVD ):  7.2
    CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  * CVE-2026-41676 ( NVD ):  9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

  
Affected Products:

  * Basesystem Module 15-SP7
  * SUSE Linux Enterprise Desktop 15 SP7
  * SUSE Linux Enterprise Real Time 15 SP7
  * SUSE Linux Enterprise Server 15 SP7
  * SUSE Linux Enterprise Server for SAP Applications 15 SP7

  
  
An update that solves one vulnerability, contains three features and has three
security fixes can now be installed.

## Description:

This update for cryptsetup, s390-tools fixes the following issue

Security fixes:

  * CVE-2026-41676: openssl: `Deriver:derive` and `PkeyCtxRef:derive` can
    overflow short buffers on OpenSSL 1.1.1 (bsc#1270185).

Changes for s390-tools:

  * Upgrade s390-tools to version 2.41.0 (jsc#PED-15860)
  * Automatically set appropriate MTU for HSCI (bsc#1259314)
  * Changes of existing tools:
  * chreipl: Make --bootparms work for ECKD re-IPL
  * cpacfstats: Add 'unauthorized' state to CPU-MF counters
  * cpictl: Detect RHCOS using VARIANT_ID
  * hsci: Automatically set appropriate MTU for HSCI
  * libutil: Add util_readlink() and util_readlinkat() helpers
  * libutil: Add util_startswith() to util_str
  * libutil: Add utility parsing functions
  * lschp: Add support for structured output (--format)
  * lsreipl: Suppress 'clear' output if not supported
  * pvimg: Add '\--format text' support to 'pvimg info'
  * pvimg: Add '\--print-schema ' option to 'pvimg info'
  * pvimg: Add '\--show-secrets' flag to 'pvimg info'
  * pvimg: Provide improved JSON output to 'pvimg info --format json'
  * pvinfo: Improve User experience on non-SE enabled systems
  * zipl/ngdump: Ensure ext4 file system is used on dump partition
  * zkey: Add support for integrity protected disks using HMAC keys
  * Bug Fixes:
  * cpumf/pai: Handle different size of perf_event_attr
  * lscss: Fix memory leak
  * zipl: Fix dump job on tape devices \--- s390-tools 2.40 includes ---
  * Add new tools / libraries:
  * Add project-wide .clang-tidy configuration
  * libutil: Introduce util_time for time related functionality
  * libutil: Introduce zsh/bash autocompletion tooling based on util_opt
  * pvinfo: Tool to display Secure Execution system information
  * pvverify: Tool to verify host-key documents
  * Changes of existing tools:
  * cpumf: Implement zsh and bash autocompletion
  * dasdfmt: Implement zsh and bash autocompletion
  * dbginfo.sh: Add NetworkManager and netplan
  * dbginfo.sh: Add kvm_stat
  * dbginfo.sh: Adding stp time information
  * dbginfo.sh: Simplify procfs collection
  * hyptop: Add physical information row
  * hyptop: Calculate sample time delta for physical partition
  * hyptop: Replace long option names using _ with - for consistency For
    example: --cpu_types > \--cpu-types (Options with _ are still supported for
    backward compatibility)
  * libekmfweb: Add function to validate a certificate against the identity key
  * netboot: Add longer kernel command lines support
  * udev/rules.d: Make virtio-blk devices non-rotational
  * udev/rules.d: Set default io scheduler to 'none' for virtio-blk
  * ziomon: Add support to sample device symlinks (/dev/disk/...)
  * ziorep_config: Add fcp-lun details to -M option output
  * ziorep_config: Add port_id and failed attributes to -A option output
  * netboot: Install on non-s390 architectures
  * Bug Fixes:
  * lib(ekmfweb|kmipclient): Use ln without -r
  * s390-tools: Fix various compilation issues with musl libc
  * zipl/boot: Fix unused loadparm when SCLP line-mode console is absent \---
    s390-tools 2.39 includes ---
  * Changes of existing tools:
  * chpstat: Add options to select IEC units for scaling (SI units are default)
  * chzdev: Introduce --no-module-load option
  * cpi: Disable CPI for SEL guests by default
  * dbginfo.sh: Enhance logging on timeout triggered
  * iucvterm: Install symlink for lsiucvallow.8 man page
  * lshwc: Add command line flag to specify individual counters
  * lspai: Add command line flag for delta values
  * lspai: Add command line flag for short counter names
  * lspai: Add command line flag to specify individual counters
  * lspai: Add command line flags for all cpus
  * lspai: Add command line flags for hexadecimal output
  * man: Use CR for constant width font
  * pvimg: Add '\--image-key' option
  * zdev: Allow dynamic control of module load
  * zipl/boot: Fix EBCDIC code page 500 conversion and decrease size by 200
    bytes
  * zipl: Add support of heterogeneous mirrors (remove technical limitations on
    mirrored targets, thus allowing mirrored devices consist of partitions at
    different offsets on disks of different types and geometry).
  * zkey: Add support for generating and importing exportable secure keys
  * Bug Fixes:
  * chpstat: Fix scaling of DPU utilization calculation
  * zdev/dracut: Prevent loading of unused kernel modules
  * zdev: Fix double device configuration on DPM systems
  * zdev: Fix double device configuration with rd.dasd
  * zipl_helper.device-mapper: Fix segfault in an error path \--- s390-tools
    2.38 includes ---
  * Add new tools
    * udev: New rule to set newly hotplugged CPUs online
    * zmemtopo: Display memory topology information
    * zpwr: Display power readings of a partition and CPC
  * Removed tools / features
    * check_hostkeydoc: Remove installation target
    * scsi_logging_level: Delete SCSI logging script (available in sg3_utils)
    * zdump: Drop build_arch for s390 DASD dumps
    * zdump: Drop non-extended multi-volume DASD dump support
    * zdump: Drop support of 32-bit dump architecture
    * zdump: Drop support of non-extended single volume DASD dumpers
    * zdump: Drop support of obsolete dumps and dumpers
  * Changes of existing tools / libraries
    * Various man-pages fixes
    * check_hostkeydoc: Add deprecation warning
    * check_hostkeydoc: Move to scripts directory
    * cpuplugd: Allow cpu hotplugging on systems without polarization
    * dbginfo.sh: Add Ubuntu snap tool
    * dbginfo.sh: Add missing config data and logs
    * dbginfo.sh: Reworking the container section
    * dbginfo.sh: Update for network commands
    * dbginfo.sh: Updating info for disks and lvm
    * libutil: Add machine type definition for machines 9175 and 9176
    * lscpumf: Add support for IBM z17 counter sets
    * lshwc: Add command line flag for run time
    * lshwc: Add flags to display counter values in hex
    * lshwc: Add output '\--format' option
    * lshwc: Add support for delta counter value display
    * lspai: Add output '\--format' option
    * lsreipl: Add secure boot state to output
    * lswhc: Add short names to lshwc output
    * pv_tools: Add Bash and Zsh completions
    * pvapconfig: Add '\--unbind' option
    * pvimg/boot: Print error messages from stage3a bootloader
    * pvimg: Add support for CCK update
    * pvsecret: Add support for CCK update
    * pvsecret: Allow retrieving secrets by index; warn for duplicated entries
    * pvsecret: Deny adding secrets with duplicated secret IDs
    * zdev: Add support for virtio devices
    * zipl: Enhance mirror support
    * zipl: Implement '\--dry-run' option for all dump jobs
    * zipl_helper.device-mapper: Support mirrors over NVMe devices
    * zkey/dracut: Add a dracut config file for zkey
    * zkey/initramfs: Update initramfs hook to correct drivers and include zkey plugins
    * zkey: Add support for converting a clear-key LUKS2 volume to use a secure key
  * Bug Fixes
    * chpstat: Add missing CMG 5 data fields
    * chpstat: Fix DPU utilization calculation
    * libutil/util_file: Handle over-read in util_file_read_fd()
    * pvattest: Fix successful 'check' evaluation
    * pvsecret: Fix some edge cases for plaintext keys
    * zipl_helper.device-mapper: Fix imprecise is_device_mapper() predicate
    * zkey: Fix EP11 secure key reencipher function
    * zpcictl: Fix command line parsing for invalid options
  * Amended the .spec file
  * "Installing" all shipped rules from etc/udev/rules.d to
    /usr/lib/udev/rules.d
  * BuildRequires: cryptsetup-devel > 2.8.2
  * Updated the code for IBM z17 machine type 9176:
  * read_values.c
  * cputype
  * Renamed cputype.1 to cputype.8 and amended
  * Amended read_values.8
  * "Improved" the read_values.c:
  * Added functionalities for '-a' and '-L attributes'
  * Removed legacy suse_version and sle_version conditionals, standardizing on
    UsrMerge paths.
  * Reworked and combined all s390-tools patches (jsc#PED-14586)
  * Added new combined and reworked patches
  * Removed obsolete patches
  * Applied patches (bsc#1261813)
  * Replace sort_field option with sort
  * hyptop opts Fix long command line option abbreviations
  * Removed obsolete patch
  * Re-vendor-ed vendor.tar.zst

Changes for cryptsetup:

  * Update to 2.8.4: (jsc#PED-15889)
  * Fix integritysetup resize (grow) of the device if integrity bitmap mode is
    used. Increasing the integrity device in bitmap mode did not work as
    integritysetup incorrectly used journal settings that were not applicable.
  * Fix device size status reports in cryptsetup and integritysetup. If the
    device uses a sector size larger than 512 bytes, the newly reported byte
    sizes (introduced in 2.8.0) in the status report were incorrectly displayed.
  * BITLK: Fix unlocking BitLocker device with recovery passphrase. If the
    recovery passphrase was present in the first keyslot, the device failed to
    unlock. This bug was introduced in 2.8.2 with Clear Key support.

  * Update to 2.8.3:

  * Stable bug-fix release with minor extensions.
  * Update to 2.8.2:
  * BITLK: Fix for BitLocker metadata validation on big-endian systems.

  * Update to 2.8.1:

  * Fix status and deactivation of TCRYPT (VeraCrypt compatible) devices that
    use chained ciphers.
  * Fix unlocking BITLK (BitLocker compatible) devices with multibyte UTF8
    characters in the passphrase.
  * Do not allow activation of the LUKS2 device if the used keyslot is not
    encrypted (it uses a null cipher).
    * Such a configuration cannot be created by cryptsetup, but can be crafted outside of it.
    * Null cipher is sometimes used to create an empty container for later reencryption.
    * Only an empty passphrase can activate such a container (the same as in LUKS1).
  * Do not silently decrease PBKDF parallel cost (threads) if set by an option.
    * The maximum parallel cost is limited to 4 threads.
  * Fixes to configuration and installation scripts.
    * Meson and autoconf tools now properly support --prefix option for temporary directory installation.
    * Multiple fixes and cleanups to config.h for compatibility between Meson and autoconf.
    * Fix the luks2-external-tokens-path Meson option to work the same as in autoconf.
    * Fix Meson install for tool binaries, install fvault2Open man page and include test/fuzz/meson.build in release.
  * Major update to manual pages.
    * Try to explain the PBKDF hardcoded limits.
    * Add a better explanation for automatic integrity tag recalculation.
    * Mention crypt/verity/integritytab.
    * Remove or reformulate some misleading warnings present only with old and no longer supported kernels.
    * Clarify that some commands do not wipe data and unify OPAL reset wording.
    * Clarify the --label option.
    * There are also many other grammar and stylistic fixes to unify the man-page style.
  * Fixes for false-positive and annoying (optional) warnings added in recent
    compilers.

  * Update to 2.8.0:

  * Full release notes in:
    * https://cdn.kernel.org/pub/linux/utils/cryptsetup/v2.8/v2.8.0-ReleaseNotes
  * Introduce support for inline mode (use HW sectors with additional hardware
    metadata space).
  * Finalize use of keyslot context API.
  * Make all keyslot context types fully self-contained.
  * Add --key-description and --new-key-description cryptsetup options.
  * Support more precise keyslot selection in reencryption initialization.
  * Allow reencryption to resume using token and volume keys.
  * Cryptsetup repair command now tries to check LUKS keyslot areas for
    corruption.
  * Opal2 SED: PSID keyfile is now expected to be 32 alphanumeric characters.
  * Opal2: Avoid the Erase method and use Secure Erase for locking range.
  * Opal2: Fix some error description (in debug only).
  * Opal2: Do not allow deferred deactivation.
  * Allow --reduce-device-size and --device-size combination for reencryption
    (encrypt) action.
  * Fix the userspace storage backend to support kernel "capi:" cipher
    specification format.
  * Disallow conversion from LUKS2 to LUKS1 if kernel "capi:" cipher
    specification is used.
  * Explicitly disallow kernel "capi:" cipher specification format for LUKS2
    keyslot encryption.
  * Do not allow conversion of LUKS2 to LUKS1 if an unbound keyslot is present.
  * cryptsetup: Adjust the XTS key size for kernel "capi:" cipher specification.
  * Remove keyslot warning about possible failure due to low memory.
  * Do not limit Argon2 KDF memory cost on systems with more than 4GB of
    available memory.
  * Properly report out of memory error for cryptographic backends implementing
    Argon2.
  * Avoid KDF2 memory cost overflow on 32-bit platforms.
  * Do not use page size as a fallback for device block size.
  * veritysetup: Check hash device size in advance.
  * Print a better error message for unsupported LUKS2 AEAD device resize.
  * Optimize LUKS2 metadata writes.
  * veritysetup: support --error-as-corruption option.
  * Report all sizes in status and dump command output in the correct units.
  * Add --integrity-key-size option to cryptsetup.
  * Support trusted; encrypted keyrings for plain devices.
  * Support plain format resize with a keyring key.
  * TCRYPT: Clear mapping of system-encrypted partitions.
  * TCRYPT: Print all information from the decrypted metadata header in the
    tcryptDump command.
  * Always lock the volume key structure in memory.
  * Do not run direct-io read check on block devices.
  * Fix a possible segfault in deferred deactivation.
  * Exclude cipher allocation time from the cryptsetup benchmark.
  * Add Mbed-TLS optional crypto backend.
  * Fix the wrong preprocessor use of #ifdef for config.h processed by Meson.
  * Reorganize license files. The license text files are now in docs/licenses.
    The COPYING file in the root directory is the default license.
  * Remove cc-by-sa-4.0.txt as already shipped now in docs/licenses and named as
    COPYING.CC-BY-SA-4.0.
  * Libcryptsetup API extensions. The libcryptsetup API is backward compatible
    with all existing symbols. Due to the self-contained memory allocation,
    these symbols have the new version:
    * crypt_keyslot_context_init_by_passphrase;
    * crypt_keyslot_context_init_by_keyfile;
    * crypt_keyslot_context_init_by_token;
    * crypt_keyslot_context_init_by_volume_key;
    * crypt_keyslot_context_init_by_signed_key;
    * crypt_keyslot_context_init_by_keyring;
    * crypt_keyslot_context_init_by_vk_in_keyring;
  * New symbols:
    * crypt_format_inline
    * crypt_get_old_volume_key_size
    * crypt_reencrypt_init_by_keyslot_context
    * crypt_safe_memcpy
  * New defines:
    * CRYPT_ACTIVATE_HIGH_PRIORITY
    * CRYPT_ACTIVATE_ERROR_AS_CORRUPTION
    * CRYPT_ACTIVATE_INLINE_MODE
    * CRYPT_REENCRYPT_CREATE_NEW_DIGEST
  * New requirement flag:

    * CRYPT_REQUIREMENT_INLINE_HW_TAGS
  * Add a dependency on device-mapper to libcryptsetup12 to install the required
    device-mapper udev rules. (bsc#1241612)

  * Update to 2.7.5:

  * Fix possible online reencryption data corruption (only in 2.7.x). In some
    situations (initializing a suspended device-mapper device), cryptsetup
    disabled direct-io device access. This caused unsafe online reencryption
    operations that could lead to data corruption. The code now adds strict
    checks (and aborts the operation) and changes direct-io detection code to
    prevent data corruption.
  * Fix a clang compilation error in SSH token plugin. As clang linker treats
    missing symbols as errors, the linker phase for the SSH token failed as the
    optional cryptsetup_token_buffer_free was not defined.
  * Fix crypto backend initialization in crypt_format_luks2_opal API call.

  * Update to 2.7.4:

  * Detect device busy failure for device-mapper table-referenced devices.
  * Fix shared activation for dm-verity devices.
  * Add --shared option for veritysetup open action.
  * Do not use exclusive flag for the allocated backing loop files.
  * Fixes for problems found by static analyzers and Valgrind.
  * Fixes to tests and CI scripts.
  * Use fdupes to link identical man pages.

  * Update to 2.7.3:

  * Do not allow formatting LUKS2 with Opal SED (hardware encryption) if the
    reported logical sector size for the block device and Opal encryption
    logical block differs.
  * Fixes to wiping LUKS2 headers after Opal locking area erase.
  * Mention the need for possible PSID revert before Opal format for some drives
    (man page).
  * Fix Bitlocker-compatible code to ignore newly seen metadata entries.
  * Fix interactive query retry if LUKS2 unbound keyslot is present.
  * Detect unsupported zoned devices for LUKS header devices.
  * Allow "capi" cipher format for benchmark command and fix parsing of plain IV
    in "capi" format.
  * Add support for HCTR2 encryption mode.
  * Source code now uses SPDX license identifiers instead of full license
    preambles.
  * Fix missing includes for cryptographic backend that could cause compilation
    errors for some systems.
  * Fix tests to work correctly in FIPS mode with recent OpenSSL 3.2.
  * Fix various (mostly false positive) issues detected by Coverity.

  * License: Replace legacy 'AND SUSE-GPL-2.0-with-openssl-exception' with 'WITH
    cryptsetup-OpenSSL-exception' (the official SPDX exception).

  * update to 2.7.2:

  * Fix activation of OPAL-only encrypted LUKS device with tokens
  * Fix formatting of OPAL devices with 4096-byte sector size
  * Fix incorrect OPAL locking range alignment calculation if used over an
    unaligned device partition.
  * Do not check the passphrase quality for OPAL Admin PIN, as this passphrase
    already exists.
  * Update license for FAQ document to CC BY-SA 4.0. NOTE: Please note that with
    OPAL-only (--hw-opal-only) encryption, the configured OPAL administrator PIN
    (passphrase) allows unlocking all configured locking ranges without LUKS
    keyslot decryption (without knowledge of LUKS passphrase). Because of many
    observed problems with compatibility, cryptsetup currently DOES NOT use OPAL
    single-user mode, which would allow such decoupling of OPAL admin PIN
    access.

  * Update to 2.7.1:

  * Fix interrupted LUKS1 decryption resume. With the replacement of the
    cryptsetup-reencrypt tool by the cryptsetup reencrypt command, resuming the
    interrupted LUKS1 decryption operation could fail. LUKS2 was not affected.
  * Allow --link-vk-to-keyring with --test-passphrase option. This option allows
    uploading the volume key in a user-specified kernel keyring without
    activating the device.
  * Fix crash when --active-name was used in decryption initialization.
  * Updates and changes to man pages, including indentation, sorting options
    alphabetically, fixing mistakes in crypt_set_keyring_to_link, and fixing
    some typos.
  * Fix compilation with libargon2 when --disable-internal-argon2 was used.
  * Do not require installed argon2.h header and never compile internal
    libargon2 code if the crypto library directly supports Argon2.
  * Fixes to regression tests to support older Linux distributions.

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * Basesystem Module 15-SP7  
    zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP7-2026-2777=1

## Package List:

  * Basesystem Module 15-SP7 (aarch64 ppc64le s390x x86_64)
    * cryptsetup-2.8.4-150700.6.4.4
    * cryptsetup-debuginfo-2.8.4-150700.6.4.4
    * libcryptsetup-devel-2.8.4-150700.6.4.4
    * cryptsetup-ssh-2.8.4-150700.6.4.4
    * libcryptsetup12-2.8.4-150700.6.4.4
    * cryptsetup-debugsource-2.8.4-150700.6.4.4
    * libcryptsetup12-debuginfo-2.8.4-150700.6.4.4
    * cryptsetup-ssh-debuginfo-2.8.4-150700.6.4.4
  * Basesystem Module 15-SP7 (s390x x86_64)
    * s390-tools-2.41.0-150700.4.26.2
  * Basesystem Module 15-SP7 (noarch)
    * s390-tools-genprotimg-data-2.41.0-150700.4.26.2
    * cryptsetup-doc-2.8.4-150700.6.4.4
    * cryptsetup-lang-2.8.4-150700.6.4.4
  * Basesystem Module 15-SP7 (s390x)
    * s390-tools-debuginfo-2.41.0-150700.4.26.2
    * s390-tools-debugsource-2.41.0-150700.4.26.2
    * libekmfweb1-2.41.0-150700.4.26.2
    * s390-tools-zdsfs-debuginfo-2.41.0-150700.4.26.2
    * libkmipclient1-2.41.0-150700.4.26.2
    * osasnmpd-2.41.0-150700.4.26.2
    * libkmipclient1-debuginfo-2.41.0-150700.4.26.2
    * libekmfweb1-devel-2.41.0-150700.4.26.2
    * s390-tools-chreipl-fcp-mpath-2.41.0-150700.4.26.2
    * s390-tools-hmcdrvfs-debuginfo-2.41.0-150700.4.26.2
    * s390-tools-hmcdrvfs-2.41.0-150700.4.26.2
    * osasnmpd-debuginfo-2.41.0-150700.4.26.2
    * libekmfweb1-debuginfo-2.41.0-150700.4.26.2
    * s390-tools-zdsfs-2.41.0-150700.4.26.2
  * Basesystem Module 15-SP7 (x86_64)
    * libcryptsetup12-32bit-debuginfo-2.8.4-150700.6.4.4
    * libcryptsetup12-32bit-2.8.4-150700.6.4.4

## References:

  * https://www.suse.com/security/cve/CVE-2026-41676.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1241612
  * https://bugzilla.suse.com/show_bug.cgi?id=1259314
  * https://bugzilla.suse.com/show_bug.cgi?id=1261813
  * https://bugzilla.suse.com/show_bug.cgi?id=1270185
  * https://jira.suse.com/browse/PED-14586
  * https://jira.suse.com/browse/PED-15860
  * https://jira.suse.com/browse/PED-15889

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20260706/91c0c465/attachment.htm>


More information about the sle-updates mailing list