SUSE-IU-2026:1094-1
SUSE Image
security@suse.de
SUSE Security Team
SUSE Image SUSE-IU-2026:1094-1
Interim
1
1
2026-03-19T09:00:27Z
current
2026-02-19T01:00:00Z
2026-02-19T01:00:00Z
cve-database/bin/generate-cvrf-publiccloud.pl
2021-02-18T01:00:00Z
Image update for SUSE-IU-2026:1094-1 / google/suse-multi-linux-mgr-server-5-1-byos-v20260219-arm64
This image update for google/suse-multi-linux-mgr-server-5-1-byos-v20260219-arm64 contains the following changes:
Package glib2 was updated:
- Add CVE fixes: + glib2-CVE-2026-1484.patch (bsc#1257355 CVE-2026-1484
glgo#GNOME/glib!4979).
+ glib2-CVE-2026-1485.patch (bsc#1257354 CVE-2026-1485
glgo#GNOME/glib!4981).
+ glib2-CVE-2026-1489.patch (bsc#1257353 CVE-2026-1489
glgo#GNOME/glib!4984).
- Add glib2-CVE-2026-0988.patch: fix a potential integer overflow
in g_buffered_input_stream_peek (bsc#1257049 CVE-2026-0988
glgo#GNOME/glib#3851).
- Add CVE fixes:
+ glib2-CVE-2025-13601-1.patch, glib2-CVE-2025-13601-2.patch
(bsc#1254297 CVE-2025-13601 glgo#GNOME/glib#3827).
+ glib2-CVE-2025-14087-1.patch, glib2-CVE-2025-14087-2.patch,
glib2-CVE-2025-14087-3.patch (bsc#1254662 CVE-2025-14087
glgo#GNOME/glib#3834).
+ glib2-CVE-2025-14512.patch (bsc#1254878 CVE-2025-14512
glgo#GNOME/glib#3845).
Package google-guest-configs was updated:
- Update to version 20260116.00 (bsc#1256906) * set_multiqueue: Only set XPS on "multinic accelerator platforms"
- Update to version 20260112.00
* Make c4x a "multinic accelerator platform"
* Merge pull request #140 from a-r-n:xps-many-numa
* set_multiqueue xps: stop assuming 2 numa nodes
* Merge pull request #137 from a-r-n:a4x-pick
* Add IDPF irq setting; improve a4x-max performance
* Merge pull request #133 from a-r-n:master
* Allow test injection of the root directory and metadata server endpoint
* add nic naming support for connextx VF in baremetal
* bugfix for idpf only rename got skipped.
* add a4x-max to google_set_multiqueue is_multinic_accelerator_platform
* remove unnecessary link up and down
* fix inconsistent NIC index between smart NICs and GPU NICs.
- Mark %{_modprobedir}/gce-blacklist.conf as %config(noreplace) (bsc#1198323)
- Update to version 20251014.00
* No public description
- Update to version 20250913.00
* Swap guest-config rule from checking the build VM OS to taking
in a variable for target version
- from version 20250905.00
* No public description
- from version 20250826.00
* Merge pull request #119 from bk202:master
* Moved tx/rx IRQ logging after assignment
* Fix core assignment in set_irq_range
* Correct IRQ tx/rx affinity core assignment
- Update to version 20250807.00
* Merge pull request #96 from rjschwei:noDupMetaData
* Avoid duplicate entries for the metadata server in /etc/hosts
- Drop ggc-no-dup-metasrv-entry.patch, merged upstream
- Update to version 20250709.00
* Add comments in scripts to document the behavior in google
hostname setting.
* Always use primary NIC IP for NetworkManager dispatcher hook.
- from version 20250626.00
* Fix spelling error: "explicilty" -> "explicitly"
- Update to version 20250605.00
* Merge pull request (#112) from bk202:liujoh_416067717
* Added comment to the bitmap conversion functions
* Remove IRQ affinity overwrite to XPS affinity
* Update XPS affinity to assign the remaining unassigned CPUs
to the last queue when populating the last queue
* Fix set_xps_affinity to correctly parse cpus array
* Update XPS CPU assignment logic
* Update CPU assignment algorithm in XPS affinity
* Remove commented code
* Update XPS affinity vCPU distribution algorithm s.t. the vCPUs assigned
to a queue are on the same core - fixed IRQ affinity on NUMA1 not using
the correct bind_cores_index
* Fixed NUMA comparison error in set_xps_affinity
* Update XPS affinity setup to be NUMA aware and support 64 bit CPU mask
calculation
- from version 20250604.00
* Merge pull request (#114) from bk202:liujoh_irq_affinity_bug_fix
* Bug fix: bind_cores_begin -> bind_cores_index
* Name smart NICs in lexicographic order
- Run %postun to modify %{_sysconfdir}/sysconfig/network/ifcfg-eth0
during uninstall only to avoid removal of POST_UP_SCRIPT on upgrade
- Check that %{_sysconfdir}/sysconfig/network/ifcfg-eth0 actually
exists before making any modifications to it (bsc#1241112)
- Update to version 20250516.00
* Merge pull request #109 from xiliuxyz:master
* Remove unused fset
* Remove unused lines
* Update google_set_multiqueue to unpack IRQ ranges before core assignment
- Update to version 20250501.00
* Configure local domain as route only domain to support cloud dns local
domain but avoid adding it to the search path.
- from version 20250409.00
* Change RDMA test condition to ensure renaming race conditions can be
detected. If such a case is detected the script will err and exit rather
than returning a name. Udev accepts this and continues as though the rule
was not triggered in such a case.
- from version 20250328.00
* Merge pull request #105 from dorileo:revert-ubuntu-hostname-hooks
* Revert "Include systemd-networkd hook in Ubuntu packaging (#77)"
- from version 20250326.00
* Merge pull request #104 from xiliuxyz:master
* Merge pull request #1 from xiliuxyz/xiliuxyz-patch-1
* Update google_set_multiqueue to check pnic_ids
- from version 20250221.00
* Merge pull request #103 from a-r-n:master
* Make google_set_multiqueue aware A4X is multinic_accelerator_platform
- from version 20250207.00
* Merge pull request #102 from xiliuxyz:master
* Update google_set_multiqueue to adapt A4 platform
* Merge branch 'GoogleCloudPlatform:master' into master
* Fix IS_A3_PLATFORM syntax
* Fix IS_A3_PLATFORM syntax
* Correct IS_A3_PLATFORM to save is_a3_platform results
* Remove excess empty line.
* Store is_a3_platform results into a global variable to avoid redundant curl calls
* Skip tx affinity binding on non-gvnic interfaces only on A3 platforms.
* Skip tx affinity binding on non-gvnic interfaces
* Update comments for get_vcpu_ranges_on_accelerator_platform
to reflect the expected vcpu ranges
* rename get_vcpu_ranges to get_vcpu_ranges_on_accelerator_platform
* Avoid IRQ binding on vCPU 0
* Fix returned value for get_vcpu_ranges
* Update get_vcpu_ranges to read from sys file instead of hardcoded value
* Update google_set_multiqueue
* Update google_set_multiqueue to set vCPU ranges based on platform
* Merge branch 'GoogleCloudPlatform:master' into master
* Add comment for handling IRQ binding on non-gvnic devices
* Remove excess empty line.
* Update is_gvnic to include gvnic driver checks
* Merge branch 'master' into master
* revert removed echo lines
* Update google_set_multiqueue to skip set_irq if nic is not a gvnic device.
* Update google_set_multiqueue to enable on A3Ultra family
- from version 20250124.00
* Merge pull request #88 from zmarano:nvme
* Fix missing files. This is a no-op.
* No public description
* Also force virtio_scsi.
- from version 20250116.00
* Add GPL-2 to licensing information (#98)
- from version 20250107.00
* Restore IDPF devices for renaming rules (#95)
- from version 20241213.00
* Remove Pat from owners file. (#97)
Package gpg2 was updated:
- Security fix [bsc#1257396, CVE-2026-24882] - gpg2: stack-based buffer overflow in TPM2 PKDECRYPT for TPM-backed RSA and ECC keys
- Added gnupg-CVE-2026-24882.patch
- Security fix [bsc#1256389] (gpg.fail/filename)
* Added gnupg-accepts-path-separators-literal-data.patch
* GnuPG Accepts Path Separators and Path Traversals in Literal Data
Package grub2 was updated:
- Optimize PBKDF2 to reduce the decryption time (bsc#1248516) * 0001-lib-crypto-Introduce-new-HMAC-functions-to-reuse-buf.patch
* 0002-lib-pbkdf2-Optimize-PBKDF2-by-reusing-HMAC-handle.patch
* 0001-kern-misc-Implement-faster-grub_memcpy-for-aligned-b.patch
Package expat was updated:
- security update- added patches
CVE-2026-24515 [bsc#1257144], NULL dereference (CWE-476) due to function XML_ExternalEntityParserCreate() failing to copy the encoding handler data passed to XML_SetUnknownEncodingHandler() from the parent to the subparser
* expat-CVE-2026-24515.patch
CVE-2026-25210 [bsc#1257496], lack of buffer size check can lead to an integer overflow
* expat-CVE-2026-25210.patch
Package openssl-3 was updated:
- Security fixes: * Missing ASN1_TYPE validation in PKCS#12 parsing
- openssl-CVE-2026-22795.patch [bsc#1256839, CVE-2026-22795]
* ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function
- openssl-CVE-2026-22795.patch [bsc#1256840, CVE-2026-22796]
* Missing ASN1_TYPE validation in TS_RESP_verify_response() function
- openssl-CVE-2025-69420.patch [bsc#1256837, CVE-2025-69420]
* NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function
- openssl-CVE-2025-69421.patch [bsc#1256838, CVE-2025-69421]
* Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion
- openssl-CVE-2025-69419.patch [bsc#1256836, CVE-2025-69419]
* Heap out-of-bounds write in BIO_f_linebuffer on short writes
- openssl-CVE-2025-68160.patch [bsc#1256834, CVE-2025-68160]
* Unauthenticated/unencrypted trailing bytes with low-level OCB function calls
- openssl-CVE-2025-69418.patch [bsc#1256835, CVE-2025-69418]
* Stack buffer overflow in CMS AuthEnvelopedData parsing
- openssl-CVE-2025-15467.patch [bsc#1256830, CVE-2025-15467]
- openssl-CVE-2025-15467-comments.patch
- openssl-CVE-2025-15467-test.patch
Package python311:base was updated:
- Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400, CVE-2025-13836) to prevent reading an HTTP response from
a server, if no read amount is specified, with using
Content-Length per default as the length.
- Add CVE-2025-12084-minidom-quad-search.patch prevent quadratic
behavior in node ID cache clearing (CVE-2025-12084,
bsc#1254997).
- Add CVE-2025-13837-plistlib-mailicious-length.patch protect
against OOM when loading malicious content (CVE-2025-13837,
bsc#1254401).
Package systemd was updated:
- Name libsystemd-{shared,core} based on the major version of systemd and the package release number (bsc#1228081 bsc#1256427)
This way, both the old and new versions of the shared libraries will be
present during the update. This should prevent issues during package updates
when incompatible changes are introduced in the new versions of the shared
libraries.
- Import commit 8bbac1d508acb8aa4e7262f47c7f4076b8350f72
8bbac1d508 detect-virt: bare-metal GCE only for x86 and i386 (bsc#1254293)
Package libxml2 was updated:
- Add patch libxml2-CVE-2026-0989.patch, to fix call stack exhaustion leading to application crash due to RelaxNG parser not limiting the
recursion depth when resolving `<include>` directives
CVE-2026-0989, bsc#1256805, https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/374
Package libzypp was updated:
- Prepare a legacy /etc/zypp/zypp.conf to be installed on old distros. See the ZYPP.CONF(5) man page for details.
- Fix runtime check for broken rpm --runposttrans (bsc#1257068)
- version 17.38.2 (35)
- Avoid libcurl-mini4 when building as it does not support ftp
protocol.
- Translation: updated .pot file.
- version 17.38.1 (35)
- zypp.conf: follow the UAPI configuration file specification
(PED-14658)
In short terms it means we will no longer ship an
/etc/zypp/zypp.conf, but store our own defaults in
/usr/etc/zypp/zypp.conf. The systems administrator may choose to
keep a full copy in /etc/zypp/zypp.conf ignoring our config file
settings completely, or - the preferred way - to overwrite
specific settings via /etc/zypp/zypp.conf.d/*.conf overlay files.
See the ZYPP.CONF(5) man page for details.
- cmake: correctly detect rpm6 (fixes #689)
- Use 'zypp.tmp' as temp directory component to ease setting up
SELinux policies (bsc#1249435)
- zyppng: Update Provider to current MediaCurl2 download
approach, drop Metalink ( fixes #682 )
- version 17.38.0 (35)
Package podman was updated:
Package python-urllib3 was updated:
- Add security patches: * CVE-2025-66471.patch (bsc#1254867)
* CVE-2025-66418.patch (bsc#1254866)
Package python311 was updated:
- Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400, CVE-2025-13836) to prevent reading an HTTP response from
a server, if no read amount is specified, with using
Content-Length per default as the length.
- Add CVE-2025-12084-minidom-quad-search.patch prevent quadratic
behavior in node ID cache clearing (CVE-2025-12084,
bsc#1254997).
- Add CVE-2025-13837-plistlib-mailicious-length.patch protect
against OOM when loading malicious content (CVE-2025-13837,
bsc#1254401).
Package server-attestation-image was updated:
Package server-hub-xmlrpc-api-image was updated:
Package server-image was updated:
Package server-migration-14-16-image was updated:
Package server-postgresql-image was updated:
Package server-saline-image was updated:
Package suseconnect-ng was updated:
- Update version to 1.20: - Update error message for Public Cloud instances with registercloudguest
installed. SUSEConnect -d is disabled on PYAG and BYOS when the
registercloudguest command is available. (bsc#1230861)
- Enhanced SAP detected. Take TREX into account and remove empty values when
only /usr/sap but no installation exists (bsc#1241002)
- Fixed modules and extension link to point to version less documentation. (bsc#1239439)
- Fixed SAP instance detection (bsc#1244550)
- Remove link to extensions documentation (bsc#1239439)
- Migrate to the public library
- Version 1.14 public library release
This version is only available on Github as a tag to release the
new golang public library which can be consumed without the need
to interface with SUSEConnect directly.
The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
https://publiccloudimagechangeinfo.suse.com/google/suse-multi-linux-mgr-server-5-1-byos-v20260219-arm64/
Public Cloud Image Info
https://www.suse.com/support/security/rating/
SUSE Security Ratings
Public Cloud Image google/suse-multi-linux-mgr-server-5-1-byos-v20260219-arm64
SL-Micro-release-6.1-slfo.1.12.10
glib2-tools-2.78.6-slfo.1.1_6.1
google-guest-agent-20250116.00-slfo.1.1_2.1
google-guest-configs-20260116.00-slfo.1.1_1.1
google-osconfig-agent-20250416.02-slfo.1.1_2.1
gpg2-2.4.4-slfo.1.1_7.1
grub2-2.12-slfo.1.1_4.1
grub2-arm64-efi-2.12-slfo.1.1_4.1
grub2-snapper-plugin-2.12-slfo.1.1_4.1
libexpat1-2.7.1-slfo.1.1_4.1
libgio-2_0-0-2.78.6-slfo.1.1_6.1
libglib-2_0-0-2.78.6-slfo.1.1_6.1
libgmodule-2_0-0-2.78.6-slfo.1.1_6.1
libgobject-2_0-0-2.78.6-slfo.1.1_6.1
libopenssl3-3.1.4-slfo.1.1_8.1
libpython3_11-1_0-3.11.14-slfo.1.1_2.1
libsystemd0-254.27-slfo.1.1_3.1
libudev1-254.27-slfo.1.1_3.1
libxml2-2-2.11.6-slfo.1.1_7.1
libxml2-tools-2.11.6-slfo.1.1_7.1
libzypp-17.38.2-slfo.1.1_1.1
openssl-3-3.1.4-slfo.1.1_8.1
podman-5.4.2-slfo.1.1_3.1
python311-3.11.14-slfo.1.1_2.1
python311-base-3.11.14-slfo.1.1_2.1
python311-urllib3-2.1.0-slfo.1.1_4.1
suse-multi-linux-manager-5.1-aarch64-server-attestation-image-5.1.2-8.13.26
suse-multi-linux-manager-5.1-aarch64-server-hub-xmlrpc-api-image-5.1.2-8.11.16
suse-multi-linux-manager-5.1-aarch64-server-image-5.1.2-8.11.37
suse-multi-linux-manager-5.1-aarch64-server-migration-14-16-image-5.1.2-8.11.16
suse-multi-linux-manager-5.1-aarch64-server-postgresql-image-5.1.2-6.11.15
suse-multi-linux-manager-5.1-aarch64-server-saline-image-5.1.2-9.11.36
suseconnect-ng-1.20.0-slfo.1.1_1.1
systemd-254.27-slfo.1.1_3.1
systemd-coredump-254.27-slfo.1.1_3.1
udev-254.27-slfo.1.1_3.1
SL-Micro-release-6.1-slfo.1.12.10 as a component of Public Cloud Image google/suse-multi-linux-mgr-server-5-1-byos-v20260219-arm64
glib2-tools-2.78.6-slfo.1.1_6.1 as a component of Public Cloud Image google/suse-multi-linux-mgr-server-5-1-byos-v20260219-arm64
google-guest-agent-20250116.00-slfo.1.1_2.1 as a component of Public Cloud Image google/suse-multi-linux-mgr-server-5-1-byos-v20260219-arm64
google-guest-configs-20260116.00-slfo.1.1_1.1 as a component of Public Cloud Image google/suse-multi-linux-mgr-server-5-1-byos-v20260219-arm64
google-osconfig-agent-20250416.02-slfo.1.1_2.1 as a component of Public Cloud Image google/suse-multi-linux-mgr-server-5-1-byos-v20260219-arm64
gpg2-2.4.4-slfo.1.1_7.1 as a component of Public Cloud Image google/suse-multi-linux-mgr-server-5-1-byos-v20260219-arm64
grub2-2.12-slfo.1.1_4.1 as a component of Public Cloud Image google/suse-multi-linux-mgr-server-5-1-byos-v20260219-arm64
grub2-arm64-efi-2.12-slfo.1.1_4.1 as a component of Public Cloud Image google/suse-multi-linux-mgr-server-5-1-byos-v20260219-arm64
grub2-snapper-plugin-2.12-slfo.1.1_4.1 as a component of Public Cloud Image google/suse-multi-linux-mgr-server-5-1-byos-v20260219-arm64
libexpat1-2.7.1-slfo.1.1_4.1 as a component of Public Cloud Image google/suse-multi-linux-mgr-server-5-1-byos-v20260219-arm64
libgio-2_0-0-2.78.6-slfo.1.1_6.1 as a component of Public Cloud Image google/suse-multi-linux-mgr-server-5-1-byos-v20260219-arm64
libglib-2_0-0-2.78.6-slfo.1.1_6.1 as a component of Public Cloud Image google/suse-multi-linux-mgr-server-5-1-byos-v20260219-arm64
libgmodule-2_0-0-2.78.6-slfo.1.1_6.1 as a component of Public Cloud Image google/suse-multi-linux-mgr-server-5-1-byos-v20260219-arm64
libgobject-2_0-0-2.78.6-slfo.1.1_6.1 as a component of Public Cloud Image google/suse-multi-linux-mgr-server-5-1-byos-v20260219-arm64
libopenssl3-3.1.4-slfo.1.1_8.1 as a component of Public Cloud Image google/suse-multi-linux-mgr-server-5-1-byos-v20260219-arm64
libpython3_11-1_0-3.11.14-slfo.1.1_2.1 as a component of Public Cloud Image google/suse-multi-linux-mgr-server-5-1-byos-v20260219-arm64
libsystemd0-254.27-slfo.1.1_3.1 as a component of Public Cloud Image google/suse-multi-linux-mgr-server-5-1-byos-v20260219-arm64
libudev1-254.27-slfo.1.1_3.1 as a component of Public Cloud Image google/suse-multi-linux-mgr-server-5-1-byos-v20260219-arm64
libxml2-2-2.11.6-slfo.1.1_7.1 as a component of Public Cloud Image google/suse-multi-linux-mgr-server-5-1-byos-v20260219-arm64
libxml2-tools-2.11.6-slfo.1.1_7.1 as a component of Public Cloud Image google/suse-multi-linux-mgr-server-5-1-byos-v20260219-arm64
libzypp-17.38.2-slfo.1.1_1.1 as a component of Public Cloud Image google/suse-multi-linux-mgr-server-5-1-byos-v20260219-arm64
openssl-3-3.1.4-slfo.1.1_8.1 as a component of Public Cloud Image google/suse-multi-linux-mgr-server-5-1-byos-v20260219-arm64
podman-5.4.2-slfo.1.1_3.1 as a component of Public Cloud Image google/suse-multi-linux-mgr-server-5-1-byos-v20260219-arm64
python311-3.11.14-slfo.1.1_2.1 as a component of Public Cloud Image google/suse-multi-linux-mgr-server-5-1-byos-v20260219-arm64
python311-base-3.11.14-slfo.1.1_2.1 as a component of Public Cloud Image google/suse-multi-linux-mgr-server-5-1-byos-v20260219-arm64
python311-urllib3-2.1.0-slfo.1.1_4.1 as a component of Public Cloud Image google/suse-multi-linux-mgr-server-5-1-byos-v20260219-arm64
suse-multi-linux-manager-5.1-aarch64-server-attestation-image-5.1.2-8.13.26 as a component of Public Cloud Image google/suse-multi-linux-mgr-server-5-1-byos-v20260219-arm64
suse-multi-linux-manager-5.1-aarch64-server-hub-xmlrpc-api-image-5.1.2-8.11.16 as a component of Public Cloud Image google/suse-multi-linux-mgr-server-5-1-byos-v20260219-arm64
suse-multi-linux-manager-5.1-aarch64-server-image-5.1.2-8.11.37 as a component of Public Cloud Image google/suse-multi-linux-mgr-server-5-1-byos-v20260219-arm64
suse-multi-linux-manager-5.1-aarch64-server-migration-14-16-image-5.1.2-8.11.16 as a component of Public Cloud Image google/suse-multi-linux-mgr-server-5-1-byos-v20260219-arm64
suse-multi-linux-manager-5.1-aarch64-server-postgresql-image-5.1.2-6.11.15 as a component of Public Cloud Image google/suse-multi-linux-mgr-server-5-1-byos-v20260219-arm64
suse-multi-linux-manager-5.1-aarch64-server-saline-image-5.1.2-9.11.36 as a component of Public Cloud Image google/suse-multi-linux-mgr-server-5-1-byos-v20260219-arm64
suseconnect-ng-1.20.0-slfo.1.1_1.1 as a component of Public Cloud Image google/suse-multi-linux-mgr-server-5-1-byos-v20260219-arm64
systemd-254.27-slfo.1.1_3.1 as a component of Public Cloud Image google/suse-multi-linux-mgr-server-5-1-byos-v20260219-arm64
systemd-coredump-254.27-slfo.1.1_3.1 as a component of Public Cloud Image google/suse-multi-linux-mgr-server-5-1-byos-v20260219-arm64
udev-254.27-slfo.1.1_3.1 as a component of Public Cloud Image google/suse-multi-linux-mgr-server-5-1-byos-v20260219-arm64
When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.
CVE-2025-12084
moderate
A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string.
CVE-2025-13601
important
When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.
CVE-2025-13836
moderate
When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues
CVE-2025-13837
moderate
A flaw was found in GLib (Gnome Lib). This vulnerability allows a remote attacker to cause heap corruption, leading to a denial of service or potential code execution via a buffer-underflow in the GVariant parser when processing maliciously crafted input strings.
CVE-2025-14087
important
A flaw was found in glib. This vulnerability allows a heap buffer overflow and denial-of-service (DoS) via an integer overflow in GLib's GIO (GLib Input/Output) escape_byte_string() function when processing malicious file or remote filesystem attribute values.
CVE-2025-14512
moderate
Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with
maliciously crafted AEAD parameters can trigger a stack buffer overflow.
Impact summary: A stack buffer overflow may lead to a crash, causing Denial
of Service, or potentially remote code execution.
When parsing CMS (Auth)EnvelopedData structures that use AEAD ciphers such as
AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is
copied into a fixed-size stack buffer without verifying that its length fits
the destination. An attacker can supply a crafted CMS message with an
oversized IV, causing a stack-based out-of-bounds write before any
authentication or tag verification occurs.
Applications and services that parse untrusted CMS or PKCS#7 content using
AEAD ciphers (e.g., S/MIME (Auth)EnvelopedData with AES-GCM) are vulnerable.
Because the overflow occurs prior to authentication, no valid key material
is required to trigger it. While exploitability to remote code execution
depends on platform and toolchain mitigations, the stack-based write
primitive represents a severe risk.
The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this
issue, as the CMS implementation is outside the OpenSSL FIPS module
boundary.
OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue.
OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
CVE-2025-15467
critical
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.
CVE-2025-66418
moderate
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data.
CVE-2025-66471
moderate
Issue summary: Writing large, newline-free data into a BIO chain using the
line-buffering filter where the next BIO performs short writes can trigger
a heap-based out-of-bounds write.
Impact summary: This out-of-bounds write can cause memory corruption which
typically results in a crash, leading to Denial of Service for an application.
The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in
TLS/SSL data paths. In OpenSSL command-line applications, it is typically
only pushed onto stdout/stderr on VMS systems. Third-party applications that
explicitly use this filter with a BIO chain that can short-write and that
write large, newline-free data influenced by an attacker would be affected.
However, the circumstances where this could happen are unlikely to be under
attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated
data controlled by an attacker. For that reason the issue was assessed as
Low severity.
The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,
as the BIO implementation is outside the OpenSSL FIPS module boundary.
OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.
CVE-2025-68160
moderate
Issue summary: When using the low-level OCB API directly with AES-NI or<br>other hardware-accelerated code paths, inputs whose length is not a multiple<br>of 16 bytes can leave the final partial block unencrypted and unauthenticated.<br><br>Impact summary: The trailing 1-15 bytes of a message may be exposed in<br>cleartext on encryption and are not covered by the authentication tag,<br>allowing an attacker to read or tamper with those bytes without detection.<br><br>The low-level OCB encrypt and decrypt routines in the hardware-accelerated<br>stream path process full 16-byte blocks but do not advance the input/output<br>pointers. The subsequent tail-handling code then operates on the original<br>base pointers, effectively reprocessing the beginning of the buffer while<br>leaving the actual trailing bytes unprocessed. The authentication checksum<br>also excludes the true tail bytes.<br><br>However, typical OpenSSL consumers using EVP are not affected because the<br>higher-level EVP and provider OCB implementations split inputs so that full<br>blocks and trailing partial blocks are processed in separate calls, avoiding<br>the problematic code path. Additionally, TLS does not use OCB ciphersuites.<br>The vulnerability only affects applications that call the low-level<br>CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with<br>non-block-aligned lengths in a single call on hardware-accelerated builds.<br>For these reasons the issue was assessed as Low severity.<br><br>The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected<br>by this issue, as OCB mode is not a FIPS-approved algorithm.<br><br>OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.<br><br>OpenSSL 1.0.2 is not affected by this issue.
CVE-2025-69418
moderate
Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously
crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing
non-ASCII BMP code point can trigger a one byte write before the allocated
buffer.
Impact summary: The out-of-bounds write can cause a memory corruption
which can have various consequences including a Denial of Service.
The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12
BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes,
the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16
source byte count as the destination buffer capacity to UTF8_putc(). For BMP
code points above U+07FF, UTF-8 requires three bytes, but the forwarded
capacity can be just two bytes. UTF8_putc() then returns -1, and this negative
value is added to the output length without validation, causing the
length to become negative. The subsequent trailing NUL byte is then written
at a negative offset, causing write outside of heap allocated buffer.
The vulnerability is reachable via the public PKCS12_get_friendlyname() API
when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a
different code path that avoids this issue, PKCS12_get_friendlyname() directly
invokes the vulnerable function. Exploitation requires an attacker to provide
a malicious PKCS#12 file to be parsed by the application and the attacker
can just trigger a one zero byte write before the allocated buffer.
For that reason the issue was assessed as Low severity according to our
Security Policy.
The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,
as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.
OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.
OpenSSL 1.0.2 is not affected by this issue.
CVE-2025-69419
moderate
Issue summary: A type confusion vulnerability exists in the TimeStamp Response
verification code where an ASN1_TYPE union member is accessed without first
validating the type, causing an invalid or NULL pointer dereference when
processing a malformed TimeStamp Response file.
Impact summary: An application calling TS_RESP_verify_response() with a
malformed TimeStamp Response can be caused to dereference an invalid or
NULL pointer when reading, resulting in a Denial of Service.
The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2()
access the signing cert attribute value without validating its type.
When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory
through the ASN1_TYPE union, causing a crash.
Exploiting this vulnerability requires an attacker to provide a malformed
TimeStamp Response to an application that verifies timestamp responses. The
TimeStamp protocol (RFC 3161) is not widely used and the impact of the
exploit is just a Denial of Service. For these reasons the issue was
assessed as Low severity.
The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,
as the TimeStamp Response implementation is outside the OpenSSL FIPS module
boundary.
OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.
OpenSSL 1.0.2 is not affected by this issue.
CVE-2025-69420
moderate
Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer
dereference in the PKCS12_item_decrypt_d2i_ex() function.
Impact summary: A NULL pointer dereference can trigger a crash which leads to
Denial of Service for an application processing PKCS#12 files.
The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct
parameter is NULL before dereferencing it. When called from
PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can
be NULL, causing a crash. The vulnerability is limited to Denial of Service
and cannot be escalated to achieve code execution or memory disclosure.
Exploiting this issue requires an attacker to provide a malformed PKCS#12 file
to an application that processes it. For that reason the issue was assessed as
Low severity according to our Security Policy.
The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,
as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.
OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.
CVE-2025-69421
moderate
A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an incorrect size being passed to memcpy(), triggering a buffer overflow. This can cause application crashes, leading to a Denial of Service (DoS).
CVE-2026-0988
low
A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested <include> directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk.
CVE-2026-0989
moderate
A flaw was found in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably.
CVE-2026-1484
important
A flaw was found in Glib's content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. This results in pointer underflow and out-of-bounds memory access. Exploitation requires a local user to install or process a specially crafted treemagic file, which can lead to local denial of service or application instability.
CVE-2026-1485
low
A flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable.
CVE-2026-1489
important
Issue summary: An invalid or NULL pointer dereference can happen in
an application processing a malformed PKCS#12 file.
Impact summary: An application processing a malformed PKCS#12 file can be
caused to dereference an invalid or NULL pointer on memory read, resulting
in a Denial of Service.
A type confusion vulnerability exists in PKCS#12 parsing code where
an ASN1_TYPE union member is accessed without first validating the type,
causing an invalid pointer read.
The location is constrained to a 1-byte address space, meaning any
attempted pointer manipulation can only target addresses between 0x00 and 0xFF.
This range corresponds to the zero page, which is unmapped on most modern
operating systems and will reliably result in a crash, leading only to a
Denial of Service. Exploiting this issue also requires a user or application
to process a maliciously crafted PKCS#12 file. It is uncommon to accept
untrusted PKCS#12 files in applications as they are usually used to store
private keys which are trusted by definition. For these reasons, the issue
was assessed as Low severity.
The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,
as the PKCS12 implementation is outside the OpenSSL FIPS module boundary.
OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.
OpenSSL 1.0.2 is not affected by this issue.
CVE-2026-22795
moderate
In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data.
CVE-2026-24515
moderate
In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.
CVE-2026-24882
important
In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation.
CVE-2026-25210
moderate