It was discovered that openCryptoki incorrectly handled certain EC keys. An attacker could possibly use this issue to cause a invalid curve attack.
Created openCryptoki tracking bugs for this issue:
Affects: fedora-all [bug 1990592]
As mentioned in the Ubuntu launchpad bug  EC support has been introduced in the Soft token with OCK 3.15.0, so this issue only affects openCryptoki versions >= 3.15.0 while earlier openCryptoki releases are not affected. In particular, EC support was introduced through commit .
In an invalid curve attack, the attacker is able to trick the vulnerable application into using curve points outside of the intended elliptic curve, making it possible to (potentially) extract the private key. A cryptographic library implementing Elliptic Curve Cryptography (ECC) needs to make sure that only valid curve points will be processed, while invalid points are detected and discarded accordingly. This is what openCryptoki's patch aims to do by adding the missing check in fill_ec_key_from_pubkey() and fill_ec_key_from_privkey().
This issue has been addressed in Red Hat Enterprise Linux 8 via RHBA-2021:3054: