Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-33186 (GCVE-0-2026-33186)
Vulnerability from cvelistv5 – Published: 2026-03-20 22:23 – Updated: 2026-03-24 18:09
VLAI
EPSS
Title
gRPC-Go has an authorization bypass via missing leading slash in :path
Summary
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-285 - Improper Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/grpc/grpc-go/security/advisori… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33186",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T18:08:38.989284Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T18:09:13.422Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grpc-go",
"vendor": "grpc",
"versions": [
{
"status": "affected",
"version": "\u003c 1.79.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, \"deny\" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback \"allow\" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific \"deny\" rules for canonical paths but allows other requests by default (a fallback \"allow\" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T22:23:32.147Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3"
}
],
"source": {
"advisory": "GHSA-p77j-4mvh-x3m3",
"discovery": "UNKNOWN"
},
"title": "gRPC-Go has an authorization bypass via missing leading slash in :path"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33186",
"datePublished": "2026-03-20T22:23:32.147Z",
"dateReserved": "2026-03-17T22:16:36.720Z",
"dateUpdated": "2026-03-24T18:09:13.422Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-33186",
"date": "2026-06-29",
"epss": "0.00522",
"percentile": "0.40354"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-33186\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-20T23:16:45.180\",\"lastModified\":\"2026-06-17T10:37:05.900\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, \\\"deny\\\" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback \\\"allow\\\" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific \\\"deny\\\" rules for canonical paths but allows other requests by default (a fallback \\\"allow\\\" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.\"},{\"lang\":\"es\",\"value\":\"gRPC-Go es la implementaci\u00f3n en lenguaje Go de gRPC. Las versiones anteriores a la 1.79.3 tienen un bypass de autorizaci\u00f3n resultante de una validaci\u00f3n de entrada incorrecta del pseudo-encabezado HTTP/2 \u0027:path\u0027. El servidor gRPC-Go era demasiado indulgente en su l\u00f3gica de enrutamiento, aceptando solicitudes donde el \u0027:path\u0027 omit\u00eda la barra inicial obligatoria (por ejemplo, \u0027Service/Method\u0027 en lugar de \u0027/Service/Method\u0027). Si bien el servidor enrut\u00f3 con \u00e9xito estas solicitudes al gestor correcto, los interceptores de autorizaci\u00f3n (incluido el paquete oficial \u0027grpc/authz\u0027) evaluaron la cadena de ruta cruda y no can\u00f3nica. En consecuencia, las reglas de \u0027denegaci\u00f3n\u0027 definidas usando rutas can\u00f3nicas (que comienzan con \u0027/\u0027) no lograron coincidir con la solicitud entrante, permitiendo que bypassara la pol\u00edtica si una regla de \u0027permiso\u0027 de respaldo estaba presente. Esto afecta a los servidores gRPC-Go que utilizan interceptores de autorizaci\u00f3n basados en rutas, como la implementaci\u00f3n oficial de RBAC en \u0027google.golang.org/grpc/authz\u0027 o interceptores personalizados que dependen de \u0027info.FullMethod\u0027 o \u0027grpc.Method(ctx)\u0027; Y que tienen una pol\u00edtica de seguridad que contiene reglas de \u0027denegaci\u00f3n\u0027 espec\u00edficas para rutas can\u00f3nicas pero permite otras solicitudes por defecto (una regla de \u0027permiso\u0027 de respaldo). La vulnerabilidad es explotable por un atacante que puede enviar tramas HTTP/2 crudas con encabezados \u0027:path\u0027 malformados directamente al servidor gRPC. La correcci\u00f3n en la versi\u00f3n 1.79.3 asegura que cualquier solicitud con un \u0027:path\u0027 que no comience con una barra inicial sea inmediatamente rechazada con un error \u0027codes.Unimplemented\u0027, impidiendo que llegue a los interceptores de autorizaci\u00f3n o gestores con una cadena de ruta no can\u00f3nica. Si bien la actualizaci\u00f3n es la ruta m\u00e1s segura y recomendada, los usuarios pueden mitigar la vulnerabilidad utilizando uno de los siguientes m\u00e9todos: Usar un interceptor de validaci\u00f3n (mitigaci\u00f3n recomendada); normalizaci\u00f3n a nivel de infraestructura; y/o endurecimiento de pol\u00edticas.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"grpc\",\"product\":\"grpc-go\",\"versions\":[{\"version\":\"\u003c 1.79.3\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-03-24T18:08:38.989284Z\",\"id\":\"CVE-2026-33186\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-285\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grpc:grpc:*:*:*:*:*:go:*:*\",\"versionEndExcluding\":\"1.79.3\",\"matchCriteriaId\":\"D5AB3ED0-D11B-461E-B2B1-627D5CCEA236\"}]}]}],\"references\":[{\"url\":\"https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33186\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-24T18:08:38.989284Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-24T18:09:03.096Z\"}}], \"cna\": {\"title\": \"gRPC-Go has an authorization bypass via missing leading slash in :path\", \"source\": {\"advisory\": \"GHSA-p77j-4mvh-x3m3\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"grpc\", \"product\": \"grpc-go\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.79.3\"}]}], \"references\": [{\"url\": \"https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3\", \"name\": \"https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, \\\"deny\\\" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback \\\"allow\\\" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific \\\"deny\\\" rules for canonical paths but allows other requests by default (a fallback \\\"allow\\\" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-285\", \"description\": \"CWE-285: Improper Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-20T22:23:32.147Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-33186\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-24T18:09:13.422Z\", \"dateReserved\": \"2026-03-17T22:16:36.720Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-20T22:23:32.147Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
SUSE-SU-2026:21490-1
Vulnerability from csaf_suse - Published: 2026-05-05 13:35 - Updated: 2026-05-05 13:35Summary
Security update for containerd
Severity
Important
Notes
Title of the patch: Security update for containerd
Description of the patch: This update for containerd fixes the following issue:
- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2 `:path`
pseudo-header (bsc#1260296).
Patchnames: SUSE-SLE-Micro-6.0-696
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.1 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Micro 6.0:containerd-1.7.29-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.0:containerd-1.7.29-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.0:containerd-1.7.29-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for containerd",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for containerd fixes the following issue:\n\n- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2 `:path`\n pseudo-header (bsc#1260296).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLE-Micro-6.0-696",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21490-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:21490-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621490-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:21490-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-May/046223.html"
},
{
"category": "self",
"summary": "SUSE Bug 1260296",
"url": "https://bugzilla.suse.com/1260296"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33186 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33186/"
}
],
"title": "Security update for containerd",
"tracking": {
"current_release_date": "2026-05-05T13:35:46Z",
"generator": {
"date": "2026-05-05T13:35:46Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:21490-1",
"initial_release_date": "2026-05-05T13:35:46Z",
"revision_history": [
{
"date": "2026-05-05T13:35:46Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "containerd-1.7.29-2.1.aarch64",
"product": {
"name": "containerd-1.7.29-2.1.aarch64",
"product_id": "containerd-1.7.29-2.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "containerd-1.7.29-2.1.s390x",
"product": {
"name": "containerd-1.7.29-2.1.s390x",
"product_id": "containerd-1.7.29-2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "containerd-1.7.29-2.1.x86_64",
"product": {
"name": "containerd-1.7.29-2.1.x86_64",
"product_id": "containerd-1.7.29-2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Micro 6.0",
"product": {
"name": "SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sl-micro:6.0"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-1.7.29-2.1.aarch64 as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:containerd-1.7.29-2.1.aarch64"
},
"product_reference": "containerd-1.7.29-2.1.aarch64",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-1.7.29-2.1.s390x as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:containerd-1.7.29-2.1.s390x"
},
"product_reference": "containerd-1.7.29-2.1.s390x",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-1.7.29-2.1.x86_64 as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:containerd-1.7.29-2.1.x86_64"
},
"product_reference": "containerd-1.7.29-2.1.x86_64",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-33186",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33186"
}
],
"notes": [
{
"category": "general",
"text": "gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, \"deny\" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback \"allow\" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific \"deny\" rules for canonical paths but allows other requests by default (a fallback \"allow\" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.0:containerd-1.7.29-2.1.aarch64",
"SUSE Linux Micro 6.0:containerd-1.7.29-2.1.s390x",
"SUSE Linux Micro 6.0:containerd-1.7.29-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33186",
"url": "https://www.suse.com/security/cve/CVE-2026-33186"
},
{
"category": "external",
"summary": "SUSE Bug 1260085 for CVE-2026-33186",
"url": "https://bugzilla.suse.com/1260085"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.0:containerd-1.7.29-2.1.aarch64",
"SUSE Linux Micro 6.0:containerd-1.7.29-2.1.s390x",
"SUSE Linux Micro 6.0:containerd-1.7.29-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.0:containerd-1.7.29-2.1.aarch64",
"SUSE Linux Micro 6.0:containerd-1.7.29-2.1.s390x",
"SUSE Linux Micro 6.0:containerd-1.7.29-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-05T13:35:46Z",
"details": "important"
}
],
"title": "CVE-2026-33186"
}
]
}
SUSE-SU-2026:21560-1
Vulnerability from csaf_suse - Published: 2026-05-06 00:44 - Updated: 2026-05-06 00:44Summary
Security update for distribution
Severity
Important
Notes
Title of the patch: Security update for distribution
Description of the patch: This update for distribution fixes the following issues
Security issues:
- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo-
header (bsc#1260283).
- CVE-2026-33540: information disclosure via improper validation of authentication realm URL (bsc#1261793).
- CVE-2026-34986: github.com/go-jose/go-jose/v4: crafted JWE input with a missing encrypted key can lead to a denial of
service (bsc#1262951).
- CVE-2026-35172: information disclosure via stale references after content deletion (bsc#1262096).
Non security issues:
- add distribution-registry.tmpfiles (jsc#PED-14747).
- distribution builds against go1.24 EOL (bsc#1259718).
Changes for distribution:
- update to 3.1.0
* Adds support for tag pagination
* Fixes default credentials in Azure storage provider
* Drops support for go1.23 and go1.24 and updates to go1.25
* See the full changelog below for the full list of changes.
* docs: Update to refer to new image tag v3
* Fix default_credentials in azure storage provider
* chore: make function comment match function name
* build(deps): bump golang.org/x/net from 0.37.0 to 0.38.0 in
the go_modules group across 1 directory
* fix: implement JWK thumbprint for Ed25519 public keys
* fix: Annotate code block from validation.indexes
configuration docs
* feat: extract redis config to separate struct
* Fix: resolve issue #4478 by using a temporary file for non-
append writes
* build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2
* docs: Add note about `OTEL_TRACES_EXPORTER`
* fix: set OTEL traces to disabled by default
* Fix markdown syntax for OTEL traces link in docs
* Switch UUIDs to UUIDv7
* refactor: replace map iteration with maps.Copy/Clone
* s3-aws: fix build for 386
* docs: Add OpenTelemetry links to quickstart docs
* Fix S3 driver loglevel param
* Fixed data race in TestSchedule test
* Fixes #4683 - uses X/Y instead of Gx/Gy for thumbprint of
ecdsa keys
* build(deps): bump actions/checkout from 4 to 5
* Fix broken link to Docker Hub fair use policy
* fix(registry/handlers/app): redis CAs
* build(deps): bump actions/labeler from 5 to 6
* build(deps): bump actions/setup-go from 5 to 6
* build(deps): bump actions/upload-pages-artifact from 3 to 4
* build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3
* build(deps): bump github/codeql-action from 3.26.5 to 4.30.7
* build(deps): bump github/codeql-action from 4.30.7 to 4.30.8
* chore: labeler: add area/client mapping for
internal/client/**
* client: add Accept headers to Exists() HEAD
* feat(registry): Make graceful shutdown test robust
* fix(registry): Correct log formatting for upstream challenge
* build(deps): bump github/codeql-action from 4.30.8 to 4.30.9
* build(deps): bump github/codeql-action from 4.30.9 to 4.31.3
* refactor: remove redundant variable declarations in for loops
* "should" -> "must" regarding redis eviction policy
* build(deps): bump actions/checkout from 5 to 6
* Incorrect warning hint
* Add return error when list object
* build(deps): bump actions/checkout from 5.0.1 to 6.0.0
* build(deps): bump peter-evans/dockerhub-description from 4 to
5
* fix: Logging regression for manifest HEAD requests
* Add boolean parsing util
* Expose `useFIPSEndpoint` for S3
* Add Cloudfleet Container Registry to adopters
* fix(ci): Fix broken Azure e2e storage tests
* BUG: Fix notification filtering to work with actions when
mediatypes is empty
* build(deps): bump actions/checkout from 6.0.0 to 6.0.1
* build(deps): bump actions/upload-artifact from 4.6.2 to 6.0.0
* build(deps): bump github/codeql-action from 4.31.3 to 4.31.10
* build(deps): bump github/codeql-action from 4.31.10 to 4.32.2
* build(deps): bump actions/checkout from 6.0.1 to 6.0.2
* update golangci-lint to v2.9 and fix linting issues
* update to go1.25.7, alpine 3.23, xx v1.9.0
* vendor: github.com/sirupsen/logrus v1.9.4
* vendor: update golang.org/x/* dependencies
* vendor: github.com/docker/docker-credential-helpers v0.9.5
* vendor: github.com/opencontainers/image-spec v1.1.1
* vendor: github.com/klauspost/compress v1.18.4
* fix: prefer otel variables over hard coded service name
* vendor: github.com/spf13/cobra v1.10.2
* vendor: github.com/bshuster-repo/logrus-logstash-hook v1.1.0
* fix: sync parent dir to ensure data is reliably stored
* modernize code
* vendor: github.com/docker/go-events 605354379745
* vendor: github.com/go-jose/go-jose/v4 v4.1.3
* build(deps): bump github/codeql-action from 4.32.2 to 4.32.5
* build(deps): bump docker/login-action from 3 to 4
* build(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0
* build(deps): bump docker/setup-buildx-action from 3 to 4
* build(deps): bump docker/bake-action from 6 to 7
* build(deps): bump docker/metadata-action from 5 to 6
* fix: nil-check scheduler in `proxyingRegistry.Close()`
* fix: set MD5 on GCS writer before first `Write` call in
`putContent`
* docs: pull through cache will pull from remote multiple times
* Update s3.md regionendpoint option
* chore(deps): Bump Go to latest 1.25 in CI workflows and
go.mod
* fix: correct Ed25519 JWK thumbprint `kty` from `"OTP"` to
`"OKP"`
* Update vacuum.go
* Opt: refector tag list pagination support (stage 1)
* Correctly match environment variables to YAML-inlined structs
in configuration
* Enable Redis TLS without client certificates
* build(deps): bump actions/deploy-pages from 4 to 5
* build(deps): bump github/codeql-action from 4.32.5 to 4.34.1
* fix(registry/proxy): use detached context when flushing write
buffer
* ci: pin actions and apply zizmor auto-fixes
* build(deps): bump actions/setup-go from 6.3.0 to 6.4.0
* build(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to
4.1.4 in the go_modules group across 1 directory
* chore(app): warn when partial TLS config is used in Redis
* feat(registry): enhance authentication checks in htpasswd
implementation
* Opt: refactor tag list pagination support
* build(deps): bump codecov/codecov-action from 5.5.4 to 6.0.0
* build(deps): bump actions/configure-pages from 5.0.0 to 6.0.0
* fix(vendor): fix broke vendor validation
* chore(ci): Prep for v3.1 release
- Update to version 3.1.0:
* fix(vendor): fix broke vendpor validation
* fix redis repo-scoped blob descriptor revocation
* proxy: bind bearer realms to upstream trust boundary
- restore directory ownership after last change
- Move config files in systemd tmpfiles dir for immutable mode
Patchnames: SUSE-SLES-16.0-703
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.1 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
21 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for distribution",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for distribution fixes the following issues\n\nSecurity issues:\n\n- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo-\n header (bsc#1260283).\n- CVE-2026-33540: information disclosure via improper validation of authentication realm URL (bsc#1261793).\n- CVE-2026-34986: github.com/go-jose/go-jose/v4: crafted JWE input with a missing encrypted key can lead to a denial of\n service (bsc#1262951).\n- CVE-2026-35172: information disclosure via stale references after content deletion (bsc#1262096).\n\nNon security issues:\n\n- add distribution-registry.tmpfiles (jsc#PED-14747).\n- distribution builds against go1.24 EOL (bsc#1259718).\n\nChanges for distribution:\n\n- update to 3.1.0\n\n * Adds support for tag pagination\n * Fixes default credentials in Azure storage provider\n * Drops support for go1.23 and go1.24 and updates to go1.25\n * See the full changelog below for the full list of changes.\n * docs: Update to refer to new image tag v3\n * Fix default_credentials in azure storage provider\n * chore: make function comment match function name\n * build(deps): bump golang.org/x/net from 0.37.0 to 0.38.0 in\n the go_modules group across 1 directory\n * fix: implement JWK thumbprint for Ed25519 public keys\n * fix: Annotate code block from validation.indexes\n configuration docs\n * feat: extract redis config to separate struct\n * Fix: resolve issue #4478 by using a temporary file for non-\n append writes\n * build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2\n * docs: Add note about `OTEL_TRACES_EXPORTER`\n * fix: set OTEL traces to disabled by default\n * Fix markdown syntax for OTEL traces link in docs\n * Switch UUIDs to UUIDv7\n * refactor: replace map iteration with maps.Copy/Clone\n * s3-aws: fix build for 386\n * docs: Add OpenTelemetry links to quickstart docs\n * Fix S3 driver loglevel param\n * Fixed data race in TestSchedule test\n * Fixes #4683 - uses X/Y instead of Gx/Gy for thumbprint of\n ecdsa keys\n * build(deps): bump actions/checkout from 4 to 5\n * Fix broken link to Docker Hub fair use policy\n * fix(registry/handlers/app): redis CAs\n * build(deps): bump actions/labeler from 5 to 6\n * build(deps): bump actions/setup-go from 5 to 6\n * build(deps): bump actions/upload-pages-artifact from 3 to 4\n * build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3\n * build(deps): bump github/codeql-action from 3.26.5 to 4.30.7\n * build(deps): bump github/codeql-action from 4.30.7 to 4.30.8\n * chore: labeler: add area/client mapping for\n internal/client/**\n * client: add Accept headers to Exists() HEAD\n * feat(registry): Make graceful shutdown test robust\n * fix(registry): Correct log formatting for upstream challenge\n * build(deps): bump github/codeql-action from 4.30.8 to 4.30.9\n * build(deps): bump github/codeql-action from 4.30.9 to 4.31.3\n * refactor: remove redundant variable declarations in for loops\n * \"should\" -\u003e \"must\" regarding redis eviction policy\n * build(deps): bump actions/checkout from 5 to 6\n * Incorrect warning hint\n * Add return error when list object\n * build(deps): bump actions/checkout from 5.0.1 to 6.0.0\n * build(deps): bump peter-evans/dockerhub-description from 4 to\n 5\n * fix: Logging regression for manifest HEAD requests\n * Add boolean parsing util\n * Expose `useFIPSEndpoint` for S3\n * Add Cloudfleet Container Registry to adopters\n * fix(ci): Fix broken Azure e2e storage tests\n * BUG: Fix notification filtering to work with actions when\n mediatypes is empty\n * build(deps): bump actions/checkout from 6.0.0 to 6.0.1\n * build(deps): bump actions/upload-artifact from 4.6.2 to 6.0.0\n * build(deps): bump github/codeql-action from 4.31.3 to 4.31.10\n * build(deps): bump github/codeql-action from 4.31.10 to 4.32.2\n * build(deps): bump actions/checkout from 6.0.1 to 6.0.2\n * update golangci-lint to v2.9 and fix linting issues\n * update to go1.25.7, alpine 3.23, xx v1.9.0\n * vendor: github.com/sirupsen/logrus v1.9.4\n * vendor: update golang.org/x/* dependencies\n * vendor: github.com/docker/docker-credential-helpers v0.9.5\n * vendor: github.com/opencontainers/image-spec v1.1.1\n * vendor: github.com/klauspost/compress v1.18.4\n * fix: prefer otel variables over hard coded service name\n * vendor: github.com/spf13/cobra v1.10.2\n * vendor: github.com/bshuster-repo/logrus-logstash-hook v1.1.0\n * fix: sync parent dir to ensure data is reliably stored\n * modernize code\n * vendor: github.com/docker/go-events 605354379745\n * vendor: github.com/go-jose/go-jose/v4 v4.1.3\n * build(deps): bump github/codeql-action from 4.32.2 to 4.32.5\n * build(deps): bump docker/login-action from 3 to 4\n * build(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0\n * build(deps): bump docker/setup-buildx-action from 3 to 4\n * build(deps): bump docker/bake-action from 6 to 7\n * build(deps): bump docker/metadata-action from 5 to 6\n * fix: nil-check scheduler in `proxyingRegistry.Close()`\n * fix: set MD5 on GCS writer before first `Write` call in\n `putContent`\n * docs: pull through cache will pull from remote multiple times\n * Update s3.md regionendpoint option\n * chore(deps): Bump Go to latest 1.25 in CI workflows and\n go.mod\n * fix: correct Ed25519 JWK thumbprint `kty` from `\"OTP\"` to\n `\"OKP\"`\n * Update vacuum.go\n * Opt: refector tag list pagination support (stage 1)\n * Correctly match environment variables to YAML-inlined structs\n in configuration\n * Enable Redis TLS without client certificates\n * build(deps): bump actions/deploy-pages from 4 to 5\n * build(deps): bump github/codeql-action from 4.32.5 to 4.34.1\n * fix(registry/proxy): use detached context when flushing write\n buffer\n * ci: pin actions and apply zizmor auto-fixes\n * build(deps): bump actions/setup-go from 6.3.0 to 6.4.0\n * build(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to\n 4.1.4 in the go_modules group across 1 directory\n * chore(app): warn when partial TLS config is used in Redis\n * feat(registry): enhance authentication checks in htpasswd\n implementation\n * Opt: refactor tag list pagination support\n * build(deps): bump codecov/codecov-action from 5.5.4 to 6.0.0\n * build(deps): bump actions/configure-pages from 5.0.0 to 6.0.0\n * fix(vendor): fix broke vendor validation\n * chore(ci): Prep for v3.1 release\n- Update to version 3.1.0:\n * fix(vendor): fix broke vendpor validation\n * fix redis repo-scoped blob descriptor revocation\n * proxy: bind bearer realms to upstream trust boundary\n- restore directory ownership after last change\n- Move config files in systemd tmpfiles dir for immutable mode\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLES-16.0-703",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21560-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:21560-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621560-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:21560-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-May/046338.html"
},
{
"category": "self",
"summary": "SUSE Bug 1259718",
"url": "https://bugzilla.suse.com/1259718"
},
{
"category": "self",
"summary": "SUSE Bug 1260283",
"url": "https://bugzilla.suse.com/1260283"
},
{
"category": "self",
"summary": "SUSE Bug 1261793",
"url": "https://bugzilla.suse.com/1261793"
},
{
"category": "self",
"summary": "SUSE Bug 1262096",
"url": "https://bugzilla.suse.com/1262096"
},
{
"category": "self",
"summary": "SUSE Bug 1262951",
"url": "https://bugzilla.suse.com/1262951"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33186 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33186/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33540 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33540/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-34986 page",
"url": "https://www.suse.com/security/cve/CVE-2026-34986/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-35172 page",
"url": "https://www.suse.com/security/cve/CVE-2026-35172/"
}
],
"title": "Security update for distribution",
"tracking": {
"current_release_date": "2026-05-06T00:44:14Z",
"generator": {
"date": "2026-05-06T00:44:14Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:21560-1",
"initial_release_date": "2026-05-06T00:44:14Z",
"revision_history": [
{
"date": "2026-05-06T00:44:14Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "distribution-registry-3.1.0-160000.1.1.aarch64",
"product": {
"name": "distribution-registry-3.1.0-160000.1.1.aarch64",
"product_id": "distribution-registry-3.1.0-160000.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "distribution-registry-3.1.0-160000.1.1.ppc64le",
"product": {
"name": "distribution-registry-3.1.0-160000.1.1.ppc64le",
"product_id": "distribution-registry-3.1.0-160000.1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "distribution-registry-3.1.0-160000.1.1.s390x",
"product": {
"name": "distribution-registry-3.1.0-160000.1.1.s390x",
"product_id": "distribution-registry-3.1.0-160000.1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "distribution-registry-3.1.0-160000.1.1.x86_64",
"product": {
"name": "distribution-registry-3.1.0-160000.1.1.x86_64",
"product_id": "distribution-registry-3.1.0-160000.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 16.0",
"product": {
"name": "SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product": {
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server-sap"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "distribution-registry-3.1.0-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64"
},
"product_reference": "distribution-registry-3.1.0-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "distribution-registry-3.1.0-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le"
},
"product_reference": "distribution-registry-3.1.0-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "distribution-registry-3.1.0-160000.1.1.s390x as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x"
},
"product_reference": "distribution-registry-3.1.0-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "distribution-registry-3.1.0-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
},
"product_reference": "distribution-registry-3.1.0-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "distribution-registry-3.1.0-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64"
},
"product_reference": "distribution-registry-3.1.0-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "distribution-registry-3.1.0-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le"
},
"product_reference": "distribution-registry-3.1.0-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "distribution-registry-3.1.0-160000.1.1.s390x as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x"
},
"product_reference": "distribution-registry-3.1.0-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "distribution-registry-3.1.0-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
},
"product_reference": "distribution-registry-3.1.0-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-33186",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33186"
}
],
"notes": [
{
"category": "general",
"text": "gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, \"deny\" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback \"allow\" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific \"deny\" rules for canonical paths but allows other requests by default (a fallback \"allow\" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33186",
"url": "https://www.suse.com/security/cve/CVE-2026-33186"
},
{
"category": "external",
"summary": "SUSE Bug 1260085 for CVE-2026-33186",
"url": "https://bugzilla.suse.com/1260085"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-06T00:44:14Z",
"details": "important"
}
],
"title": "CVE-2026-33186"
},
{
"cve": "CVE-2026-33540",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33540"
}
],
"notes": [
{
"category": "general",
"text": "Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges returned by the configured upstream registry. The realm URL from a bearer challenge is used without validating that it matches the upstream registry host. As a result, an attacker-controlled upstream (or an attacker with MitM position to the upstream) can cause distribution to send the configured upstream credentials via basic auth to an attacker-controlled realm URL. This vulnerability is fixed in 3.1.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33540",
"url": "https://www.suse.com/security/cve/CVE-2026-33540"
},
{
"category": "external",
"summary": "SUSE Bug 1261793 for CVE-2026-33540",
"url": "https://bugzilla.suse.com/1261793"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-06T00:44:14Z",
"details": "moderate"
}
],
"title": "CVE-2026-33540"
},
{
"cve": "CVE-2026-34986",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-34986"
}
],
"notes": [
{
"category": "general",
"text": "Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-34986",
"url": "https://www.suse.com/security/cve/CVE-2026-34986"
},
{
"category": "external",
"summary": "SUSE Bug 1262805 for CVE-2026-34986",
"url": "https://bugzilla.suse.com/1262805"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-06T00:44:14Z",
"details": "important"
}
],
"title": "CVE-2026-34986"
},
{
"cve": "CVE-2026-35172",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-35172"
}
],
"notes": [
{
"category": "general",
"text": "Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, distribution can restore read access in repo a after an explicit delete when storage.cache.blobdescriptor: redis and storage.delete.enabled: true are both enabled. The delete path clears the shared digest descriptor but leaves stale repo-scoped membership behind, so a later Stat or Get from repo b repopulates the shared descriptor and makes the deleted blob readable from repo a again. This vulnerability is fixed in 3.1.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-35172",
"url": "https://www.suse.com/security/cve/CVE-2026-35172"
},
{
"category": "external",
"summary": "SUSE Bug 1262096 for CVE-2026-35172",
"url": "https://bugzilla.suse.com/1262096"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:distribution-registry-3.1.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:distribution-registry-3.1.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-06T00:44:14Z",
"details": "important"
}
],
"title": "CVE-2026-35172"
}
]
}
SUSE-SU-2026:21630-1
Vulnerability from csaf_suse - Published: 2026-05-09 15:46 - Updated: 2026-05-09 15:46Summary
Security update for containerd
Severity
Important
Notes
Title of the patch: Security update for containerd
Description of the patch: This update for containerd fixes the following issue:
- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2 `:path`
pseudo-header (bsc#1260296).
Patchnames: SUSE-SLE-Micro-6.1-519
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Micro 6.1:containerd-1.7.29-slfo.1.1_2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:containerd-1.7.29-slfo.1.1_2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:containerd-1.7.29-slfo.1.1_2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:containerd-1.7.29-slfo.1.1_2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for containerd",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for containerd fixes the following issue:\n\n- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2 `:path`\n pseudo-header (bsc#1260296).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLE-Micro-6.1-519",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21630-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:21630-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621630-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:21630-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-May/046484.html"
},
{
"category": "self",
"summary": "SUSE Bug 1260296",
"url": "https://bugzilla.suse.com/1260296"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33186 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33186/"
}
],
"title": "Security update for containerd",
"tracking": {
"current_release_date": "2026-05-09T15:46:13Z",
"generator": {
"date": "2026-05-09T15:46:13Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:21630-1",
"initial_release_date": "2026-05-09T15:46:13Z",
"revision_history": [
{
"date": "2026-05-09T15:46:13Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "containerd-1.7.29-slfo.1.1_2.1.aarch64",
"product": {
"name": "containerd-1.7.29-slfo.1.1_2.1.aarch64",
"product_id": "containerd-1.7.29-slfo.1.1_2.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "containerd-1.7.29-slfo.1.1_2.1.ppc64le",
"product": {
"name": "containerd-1.7.29-slfo.1.1_2.1.ppc64le",
"product_id": "containerd-1.7.29-slfo.1.1_2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "containerd-1.7.29-slfo.1.1_2.1.s390x",
"product": {
"name": "containerd-1.7.29-slfo.1.1_2.1.s390x",
"product_id": "containerd-1.7.29-slfo.1.1_2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "containerd-1.7.29-slfo.1.1_2.1.x86_64",
"product": {
"name": "containerd-1.7.29-slfo.1.1_2.1.x86_64",
"product_id": "containerd-1.7.29-slfo.1.1_2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Micro 6.1",
"product": {
"name": "SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sl-micro:6.1"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-1.7.29-slfo.1.1_2.1.aarch64 as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:containerd-1.7.29-slfo.1.1_2.1.aarch64"
},
"product_reference": "containerd-1.7.29-slfo.1.1_2.1.aarch64",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-1.7.29-slfo.1.1_2.1.ppc64le as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:containerd-1.7.29-slfo.1.1_2.1.ppc64le"
},
"product_reference": "containerd-1.7.29-slfo.1.1_2.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-1.7.29-slfo.1.1_2.1.s390x as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:containerd-1.7.29-slfo.1.1_2.1.s390x"
},
"product_reference": "containerd-1.7.29-slfo.1.1_2.1.s390x",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-1.7.29-slfo.1.1_2.1.x86_64 as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:containerd-1.7.29-slfo.1.1_2.1.x86_64"
},
"product_reference": "containerd-1.7.29-slfo.1.1_2.1.x86_64",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-33186",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33186"
}
],
"notes": [
{
"category": "general",
"text": "gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, \"deny\" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback \"allow\" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific \"deny\" rules for canonical paths but allows other requests by default (a fallback \"allow\" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.1:containerd-1.7.29-slfo.1.1_2.1.aarch64",
"SUSE Linux Micro 6.1:containerd-1.7.29-slfo.1.1_2.1.ppc64le",
"SUSE Linux Micro 6.1:containerd-1.7.29-slfo.1.1_2.1.s390x",
"SUSE Linux Micro 6.1:containerd-1.7.29-slfo.1.1_2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33186",
"url": "https://www.suse.com/security/cve/CVE-2026-33186"
},
{
"category": "external",
"summary": "SUSE Bug 1260085 for CVE-2026-33186",
"url": "https://bugzilla.suse.com/1260085"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.1:containerd-1.7.29-slfo.1.1_2.1.aarch64",
"SUSE Linux Micro 6.1:containerd-1.7.29-slfo.1.1_2.1.ppc64le",
"SUSE Linux Micro 6.1:containerd-1.7.29-slfo.1.1_2.1.s390x",
"SUSE Linux Micro 6.1:containerd-1.7.29-slfo.1.1_2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.1:containerd-1.7.29-slfo.1.1_2.1.aarch64",
"SUSE Linux Micro 6.1:containerd-1.7.29-slfo.1.1_2.1.ppc64le",
"SUSE Linux Micro 6.1:containerd-1.7.29-slfo.1.1_2.1.s390x",
"SUSE Linux Micro 6.1:containerd-1.7.29-slfo.1.1_2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-09T15:46:13Z",
"details": "important"
}
],
"title": "CVE-2026-33186"
}
]
}
SUSE-SU-2026:21732-1
Vulnerability from csaf_suse - Published: 2026-05-18 08:52 - Updated: 2026-05-18 08:52Summary
Security update for google-guest-agent
Severity
Important
Notes
Title of the patch: Security update for google-guest-agent
Description of the patch: This update for google-guest-agent fixes the following issue
- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo-
header (bsc#1260264).
Patchnames: SUSE-SLE-Micro-6.1-532
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Micro 6.1:google-guest-agent-20250506.01-slfo.1.1_2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:google-guest-agent-20250506.01-slfo.1.1_2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:google-guest-agent-20250506.01-slfo.1.1_2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:google-guest-agent-20250506.01-slfo.1.1_2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for google-guest-agent",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for google-guest-agent fixes the following issue\n\n- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo-\n header (bsc#1260264).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLE-Micro-6.1-532",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21732-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:21732-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621732-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:21732-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-May/046716.html"
},
{
"category": "self",
"summary": "SUSE Bug 1260264",
"url": "https://bugzilla.suse.com/1260264"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33186 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33186/"
}
],
"title": "Security update for google-guest-agent",
"tracking": {
"current_release_date": "2026-05-18T08:52:51Z",
"generator": {
"date": "2026-05-18T08:52:51Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:21732-1",
"initial_release_date": "2026-05-18T08:52:51Z",
"revision_history": [
{
"date": "2026-05-18T08:52:51Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "google-guest-agent-20250506.01-slfo.1.1_2.1.aarch64",
"product": {
"name": "google-guest-agent-20250506.01-slfo.1.1_2.1.aarch64",
"product_id": "google-guest-agent-20250506.01-slfo.1.1_2.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "google-guest-agent-20250506.01-slfo.1.1_2.1.ppc64le",
"product": {
"name": "google-guest-agent-20250506.01-slfo.1.1_2.1.ppc64le",
"product_id": "google-guest-agent-20250506.01-slfo.1.1_2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "google-guest-agent-20250506.01-slfo.1.1_2.1.s390x",
"product": {
"name": "google-guest-agent-20250506.01-slfo.1.1_2.1.s390x",
"product_id": "google-guest-agent-20250506.01-slfo.1.1_2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "google-guest-agent-20250506.01-slfo.1.1_2.1.x86_64",
"product": {
"name": "google-guest-agent-20250506.01-slfo.1.1_2.1.x86_64",
"product_id": "google-guest-agent-20250506.01-slfo.1.1_2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Micro 6.1",
"product": {
"name": "SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sl-micro:6.1"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "google-guest-agent-20250506.01-slfo.1.1_2.1.aarch64 as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:google-guest-agent-20250506.01-slfo.1.1_2.1.aarch64"
},
"product_reference": "google-guest-agent-20250506.01-slfo.1.1_2.1.aarch64",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-guest-agent-20250506.01-slfo.1.1_2.1.ppc64le as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:google-guest-agent-20250506.01-slfo.1.1_2.1.ppc64le"
},
"product_reference": "google-guest-agent-20250506.01-slfo.1.1_2.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-guest-agent-20250506.01-slfo.1.1_2.1.s390x as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:google-guest-agent-20250506.01-slfo.1.1_2.1.s390x"
},
"product_reference": "google-guest-agent-20250506.01-slfo.1.1_2.1.s390x",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-guest-agent-20250506.01-slfo.1.1_2.1.x86_64 as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:google-guest-agent-20250506.01-slfo.1.1_2.1.x86_64"
},
"product_reference": "google-guest-agent-20250506.01-slfo.1.1_2.1.x86_64",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-33186",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33186"
}
],
"notes": [
{
"category": "general",
"text": "gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, \"deny\" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback \"allow\" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific \"deny\" rules for canonical paths but allows other requests by default (a fallback \"allow\" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.1:google-guest-agent-20250506.01-slfo.1.1_2.1.aarch64",
"SUSE Linux Micro 6.1:google-guest-agent-20250506.01-slfo.1.1_2.1.ppc64le",
"SUSE Linux Micro 6.1:google-guest-agent-20250506.01-slfo.1.1_2.1.s390x",
"SUSE Linux Micro 6.1:google-guest-agent-20250506.01-slfo.1.1_2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33186",
"url": "https://www.suse.com/security/cve/CVE-2026-33186"
},
{
"category": "external",
"summary": "SUSE Bug 1260085 for CVE-2026-33186",
"url": "https://bugzilla.suse.com/1260085"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.1:google-guest-agent-20250506.01-slfo.1.1_2.1.aarch64",
"SUSE Linux Micro 6.1:google-guest-agent-20250506.01-slfo.1.1_2.1.ppc64le",
"SUSE Linux Micro 6.1:google-guest-agent-20250506.01-slfo.1.1_2.1.s390x",
"SUSE Linux Micro 6.1:google-guest-agent-20250506.01-slfo.1.1_2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.1:google-guest-agent-20250506.01-slfo.1.1_2.1.aarch64",
"SUSE Linux Micro 6.1:google-guest-agent-20250506.01-slfo.1.1_2.1.ppc64le",
"SUSE Linux Micro 6.1:google-guest-agent-20250506.01-slfo.1.1_2.1.s390x",
"SUSE Linux Micro 6.1:google-guest-agent-20250506.01-slfo.1.1_2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-18T08:52:51Z",
"details": "important"
}
],
"title": "CVE-2026-33186"
}
]
}
SUSE-SU-2026:21756-1
Vulnerability from csaf_suse - Published: 2026-05-22 11:51 - Updated: 2026-05-22 11:51Summary
Security update for mcphost
Severity
Important
Notes
Title of the patch: Security update for mcphost
Description of the patch: This update for mcphost fixes the following issues
- CVE-2025-30153: github.com/getkin/kin-openapi/openapi3filter: Improper Handling of Highly Compressed Data (Data
Amplification) in github.com/getkin/kin-openapi/openapi3filter (bsc#1264762).
- CVE-2025-47913: golang.org/x/crypto/ssh/agent: client process termination when receiving an unexpected message type in
response to a key listing or (bsc#1265274).
- CVE-2025-47914: golang.org/x/crypto/ssh/agent: non validated message size can cause a panic due to an out of bounds
read (bsc#1265275).
- CVE-2025-58181: golang.org/x/crypto/ssh: invalidated number of mechanisms can cause unbounded memory consumption
(bsc#1253952).
- CVE-2026-32285: github.com/buger/jsonparser: denial of service via malformed JSON input (bsc#1264759).
- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo-
header (bsc#1260224).
Changes for mcphost:
- Updated to version 0.34.0
* Features:
- Upgrade charmbracelet libs to v2 (bubbletea, lipgloss, bubbles)
- Add Google Vertex AI support for Claude models
- Add new models.
* Fixes:
- Eliminate escape sequence leak from spinner tea.Program instances.
- Fix anthropic api issue.
- Convert JSON Schema draft-07 exclusive bounds to draft-04 format.
* Upgrade all dependencies to latest versions, resolve security issues
and to obtain Go 1.26 compatibility.
Patchnames: SUSE-SL-Micro-6.2-794
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.5 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
8.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
28 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for mcphost",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for mcphost fixes the following issues\n\n- CVE-2025-30153: github.com/getkin/kin-openapi/openapi3filter: Improper Handling of Highly Compressed Data (Data\n Amplification) in github.com/getkin/kin-openapi/openapi3filter (bsc#1264762).\n- CVE-2025-47913: golang.org/x/crypto/ssh/agent: client process termination when receiving an unexpected message type in\n response to a key listing or (bsc#1265274).\n- CVE-2025-47914: golang.org/x/crypto/ssh/agent: non validated message size can cause a panic due to an out of bounds\n read (bsc#1265275).\n- CVE-2025-58181: golang.org/x/crypto/ssh: invalidated number of mechanisms can cause unbounded memory consumption\n (bsc#1253952).\n- CVE-2026-32285: github.com/buger/jsonparser: denial of service via malformed JSON input (bsc#1264759).\n- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo-\n header (bsc#1260224).\n\nChanges for mcphost:\n\n- Updated to version 0.34.0\n * Features:\n - Upgrade charmbracelet libs to v2 (bubbletea, lipgloss, bubbles)\n - Add Google Vertex AI support for Claude models\n - Add new models.\n * Fixes:\n - Eliminate escape sequence leak from spinner tea.Program instances.\n - Fix anthropic api issue.\n - Convert JSON Schema draft-07 exclusive bounds to draft-04 format.\n * Upgrade all dependencies to latest versions, resolve security issues\n and to obtain Go 1.26 compatibility.\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SL-Micro-6.2-794",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21756-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:21756-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621756-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:21756-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-May/046760.html"
},
{
"category": "self",
"summary": "SUSE Bug 1253952",
"url": "https://bugzilla.suse.com/1253952"
},
{
"category": "self",
"summary": "SUSE Bug 1260224",
"url": "https://bugzilla.suse.com/1260224"
},
{
"category": "self",
"summary": "SUSE Bug 1264759",
"url": "https://bugzilla.suse.com/1264759"
},
{
"category": "self",
"summary": "SUSE Bug 1264762",
"url": "https://bugzilla.suse.com/1264762"
},
{
"category": "self",
"summary": "SUSE Bug 1265274",
"url": "https://bugzilla.suse.com/1265274"
},
{
"category": "self",
"summary": "SUSE Bug 1265275",
"url": "https://bugzilla.suse.com/1265275"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-30153 page",
"url": "https://www.suse.com/security/cve/CVE-2025-30153/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47913 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47913/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47914 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47914/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-58181 page",
"url": "https://www.suse.com/security/cve/CVE-2025-58181/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-32285 page",
"url": "https://www.suse.com/security/cve/CVE-2026-32285/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33186 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33186/"
}
],
"title": "Security update for mcphost",
"tracking": {
"current_release_date": "2026-05-22T11:51:53Z",
"generator": {
"date": "2026-05-22T11:51:53Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:21756-1",
"initial_release_date": "2026-05-22T11:51:53Z",
"revision_history": [
{
"date": "2026-05-22T11:51:53Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "mcphost-0.34.0-160000.1.1.aarch64",
"product": {
"name": "mcphost-0.34.0-160000.1.1.aarch64",
"product_id": "mcphost-0.34.0-160000.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "mcphost-0.34.0-160000.1.1.ppc64le",
"product": {
"name": "mcphost-0.34.0-160000.1.1.ppc64le",
"product_id": "mcphost-0.34.0-160000.1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "mcphost-0.34.0-160000.1.1.s390x",
"product": {
"name": "mcphost-0.34.0-160000.1.1.s390x",
"product_id": "mcphost-0.34.0-160000.1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "mcphost-0.34.0-160000.1.1.x86_64",
"product": {
"name": "mcphost-0.34.0-160000.1.1.x86_64",
"product_id": "mcphost-0.34.0-160000.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Micro 6.2",
"product": {
"name": "SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sl-micro:6.2"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "mcphost-0.34.0-160000.1.1.aarch64 as component of SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.aarch64"
},
"product_reference": "mcphost-0.34.0-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Micro 6.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mcphost-0.34.0-160000.1.1.ppc64le as component of SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.ppc64le"
},
"product_reference": "mcphost-0.34.0-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Micro 6.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mcphost-0.34.0-160000.1.1.s390x as component of SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.s390x"
},
"product_reference": "mcphost-0.34.0-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Micro 6.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mcphost-0.34.0-160000.1.1.x86_64 as component of SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.x86_64"
},
"product_reference": "mcphost-0.34.0-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Micro 6.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-30153",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-30153"
}
],
"notes": [
{
"category": "general",
"text": "kin-openapi is a Go project for handling OpenAPI files. Prior to 0.131.0, when validating a request with a multipart/form-data schema, if the OpenAPI schema allows it, an attacker can upload a crafted ZIP file (e.g., a ZIP bomb), causing the server to consume all available system memory. The root cause comes from the ZipFileBodyDecoder, which is registered automatically by the module (contrary to what the documentation says). This vulnerability is fixed in 0.131.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-30153",
"url": "https://www.suse.com/security/cve/CVE-2025-30153"
},
{
"category": "external",
"summary": "SUSE Bug 1264761 for CVE-2025-30153",
"url": "https://bugzilla.suse.com/1264761"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-22T11:51:53Z",
"details": "important"
}
],
"title": "CVE-2025-30153"
},
{
"cve": "CVE-2025-47913",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47913"
}
],
"notes": [
{
"category": "general",
"text": "SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47913",
"url": "https://www.suse.com/security/cve/CVE-2025-47913"
},
{
"category": "external",
"summary": "SUSE Bug 1253506 for CVE-2025-47913",
"url": "https://bugzilla.suse.com/1253506"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-22T11:51:53Z",
"details": "important"
}
],
"title": "CVE-2025-47913"
},
{
"cve": "CVE-2025-47914",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47914"
}
],
"notes": [
{
"category": "general",
"text": "SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47914",
"url": "https://www.suse.com/security/cve/CVE-2025-47914"
},
{
"category": "external",
"summary": "SUSE Bug 1253967 for CVE-2025-47914",
"url": "https://bugzilla.suse.com/1253967"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-22T11:51:53Z",
"details": "moderate"
}
],
"title": "CVE-2025-47914"
},
{
"cve": "CVE-2025-58181",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-58181"
}
],
"notes": [
{
"category": "general",
"text": "SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-58181",
"url": "https://www.suse.com/security/cve/CVE-2025-58181"
},
{
"category": "external",
"summary": "SUSE Bug 1253784 for CVE-2025-58181",
"url": "https://bugzilla.suse.com/1253784"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-22T11:51:53Z",
"details": "moderate"
}
],
"title": "CVE-2025-58181"
},
{
"cve": "CVE-2026-32285",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-32285"
}
],
"notes": [
{
"category": "general",
"text": "The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-32285",
"url": "https://www.suse.com/security/cve/CVE-2026-32285"
},
{
"category": "external",
"summary": "SUSE Bug 1261230 for CVE-2026-32285",
"url": "https://bugzilla.suse.com/1261230"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-22T11:51:53Z",
"details": "moderate"
}
],
"title": "CVE-2026-32285"
},
{
"cve": "CVE-2026-33186",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33186"
}
],
"notes": [
{
"category": "general",
"text": "gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, \"deny\" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback \"allow\" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific \"deny\" rules for canonical paths but allows other requests by default (a fallback \"allow\" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33186",
"url": "https://www.suse.com/security/cve/CVE-2026-33186"
},
{
"category": "external",
"summary": "SUSE Bug 1260085 for CVE-2026-33186",
"url": "https://bugzilla.suse.com/1260085"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Micro 6.2:mcphost-0.34.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-22T11:51:53Z",
"details": "important"
}
],
"title": "CVE-2026-33186"
}
]
}
SUSE-SU-2026:21793-1
Vulnerability from csaf_suse - Published: 2026-05-14 15:04 - Updated: 2026-05-14 15:04Summary
Security update for alloy
Severity
Important
Notes
Title of the patch: Security update for alloy
Description of the patch: This update for alloy fixes the following issues
Security issues:
- CVE-2026-4427: github.com/jackc/pgproto3/v2: improper validation of field length allows a malicious PostgreSQL server
to crash a client application via a DataRow message (bsc#1259919).
- CVE-2026-25934: github.com/go-git/go-git/v5: improper verification of data integrity values for .pack and .idx files
can lead to the consumption of corrupted files (bsc#1258099).
- CVE-2026-26958: filippo.io/edwards25519: failure to initialize receiver in MultiScalarMult can produce invalid results
and lead to undefined behavior (bsc#1258609).
- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo-
header (bsc#1260317).
Non security issue:
- Updated to 1.16.0
- Use systemd tmpfiles.d to create /var/lib/alloy hierarchy (jsc#PED-14815)
Patchnames: SUSE-SLES-16.0-747
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
4.3 (Medium)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.5 (Medium)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
8.1 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
20 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for alloy",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for alloy fixes the following issues\n\nSecurity issues:\n\n- CVE-2026-4427: github.com/jackc/pgproto3/v2: improper validation of field length allows a malicious PostgreSQL server\n to crash a client application via a DataRow message (bsc#1259919).\n- CVE-2026-25934: github.com/go-git/go-git/v5: improper verification of data integrity values for .pack and .idx files\n can lead to the consumption of corrupted files (bsc#1258099).\n- CVE-2026-26958: filippo.io/edwards25519: failure to initialize receiver in MultiScalarMult can produce invalid results\n and lead to undefined behavior (bsc#1258609).\n- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo-\n header (bsc#1260317).\n\nNon security issue:\n\n- Updated to 1.16.0\n- Use systemd tmpfiles.d to create /var/lib/alloy hierarchy (jsc#PED-14815)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLES-16.0-747",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21793-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:21793-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621793-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:21793-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-May/046820.html"
},
{
"category": "self",
"summary": "SUSE Bug 1258099",
"url": "https://bugzilla.suse.com/1258099"
},
{
"category": "self",
"summary": "SUSE Bug 1258609",
"url": "https://bugzilla.suse.com/1258609"
},
{
"category": "self",
"summary": "SUSE Bug 1259919",
"url": "https://bugzilla.suse.com/1259919"
},
{
"category": "self",
"summary": "SUSE Bug 1260317",
"url": "https://bugzilla.suse.com/1260317"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-25934 page",
"url": "https://www.suse.com/security/cve/CVE-2026-25934/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-26958 page",
"url": "https://www.suse.com/security/cve/CVE-2026-26958/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33186 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33186/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-4427 page",
"url": "https://www.suse.com/security/cve/CVE-2026-4427/"
}
],
"title": "Security update for alloy",
"tracking": {
"current_release_date": "2026-05-14T15:04:53Z",
"generator": {
"date": "2026-05-14T15:04:53Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:21793-1",
"initial_release_date": "2026-05-14T15:04:53Z",
"revision_history": [
{
"date": "2026-05-14T15:04:53Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "alloy-1.16.0-160000.1.1.aarch64",
"product": {
"name": "alloy-1.16.0-160000.1.1.aarch64",
"product_id": "alloy-1.16.0-160000.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "alloy-1.16.0-160000.1.1.ppc64le",
"product": {
"name": "alloy-1.16.0-160000.1.1.ppc64le",
"product_id": "alloy-1.16.0-160000.1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "alloy-1.16.0-160000.1.1.s390x",
"product": {
"name": "alloy-1.16.0-160000.1.1.s390x",
"product_id": "alloy-1.16.0-160000.1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "alloy-1.16.0-160000.1.1.x86_64",
"product": {
"name": "alloy-1.16.0-160000.1.1.x86_64",
"product_id": "alloy-1.16.0-160000.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 16.0",
"product": {
"name": "SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product": {
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server-sap"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "alloy-1.16.0-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.aarch64"
},
"product_reference": "alloy-1.16.0-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "alloy-1.16.0-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.ppc64le"
},
"product_reference": "alloy-1.16.0-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "alloy-1.16.0-160000.1.1.s390x as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.s390x"
},
"product_reference": "alloy-1.16.0-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "alloy-1.16.0-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.x86_64"
},
"product_reference": "alloy-1.16.0-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "alloy-1.16.0-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.aarch64"
},
"product_reference": "alloy-1.16.0-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "alloy-1.16.0-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.ppc64le"
},
"product_reference": "alloy-1.16.0-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "alloy-1.16.0-160000.1.1.s390x as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.s390x"
},
"product_reference": "alloy-1.16.0-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "alloy-1.16.0-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.x86_64"
},
"product_reference": "alloy-1.16.0-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-25934",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-25934"
}
],
"notes": [
{
"category": "general",
"text": "go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files, which would likely result in unexpected errors such as object not found. For context, clients fetch packfiles from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (.idx) are generated locally by go-git, or the git cli, when new .pack files are received and processed. The integrity checks for both files were not being verified correctly. This vulnerability is fixed in 5.16.5.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-25934",
"url": "https://www.suse.com/security/cve/CVE-2026-25934"
},
{
"category": "external",
"summary": "SUSE Bug 1258093 for CVE-2026-25934",
"url": "https://bugzilla.suse.com/1258093"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-14T15:04:53Z",
"details": "moderate"
}
],
"title": "CVE-2026-25934"
},
{
"cve": "CVE-2026-26958",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-26958"
}
],
"notes": [
{
"category": "general",
"text": "filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. In versions 1.1.0 and earlier, MultiScalarMult produces invalid results or undefined behavior if the receiver is not the identity point. If (*Point).MultiScalarMult is called on an initialized point that is not the identity point, it returns an incorrect result. If the method is called on an uninitialized point, the behavior is undefined. In particular, if the receiver is the zero value, MultiScalarMult returns an invalid point that compares Equal to every other point. Note that MultiScalarMult is a rarely used, advanced API. For example, users who depend on filippo.io/edwards25519 only through github.com/go-sql-driver/mysql are not affected. This issue has been fixed in version 1.1.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-26958",
"url": "https://www.suse.com/security/cve/CVE-2026-26958"
},
{
"category": "external",
"summary": "SUSE Bug 1258570 for CVE-2026-26958",
"url": "https://bugzilla.suse.com/1258570"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-14T15:04:53Z",
"details": "moderate"
}
],
"title": "CVE-2026-26958"
},
{
"cve": "CVE-2026-33186",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33186"
}
],
"notes": [
{
"category": "general",
"text": "gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, \"deny\" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback \"allow\" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific \"deny\" rules for canonical paths but allows other requests by default (a fallback \"allow\" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33186",
"url": "https://www.suse.com/security/cve/CVE-2026-33186"
},
{
"category": "external",
"summary": "SUSE Bug 1260085 for CVE-2026-33186",
"url": "https://bugzilla.suse.com/1260085"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-14T15:04:53Z",
"details": "important"
}
],
"title": "CVE-2026-33186"
},
{
"cve": "CVE-2026-4427",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-4427"
}
],
"notes": [
{
"category": "general",
"text": "Duplicate of CVE-2026-32286",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-4427",
"url": "https://www.suse.com/security/cve/CVE-2026-4427"
},
{
"category": "external",
"summary": "SUSE Bug 1259910 for CVE-2026-4427",
"url": "https://bugzilla.suse.com/1259910"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:alloy-1.16.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:alloy-1.16.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-14T15:04:53Z",
"details": "important"
}
],
"title": "CVE-2026-4427"
}
]
}
SUSE-SU-2026:21803-1
Vulnerability from csaf_suse - Published: 2026-05-17 09:09 - Updated: 2026-05-17 09:09Summary
Security update for google-guest-agent
Severity
Important
Notes
Title of the patch: Security update for google-guest-agent
Description of the patch: This update for google-guest-agent fixes the following issue
- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo-
header (bsc#1260264).
Patchnames: SUSE-SLES-16.0-757
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:google-guest-agent-20250506.01-160000.2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:google-guest-agent-20250506.01-160000.2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20250506.01-160000.2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20250506.01-160000.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for google-guest-agent",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for google-guest-agent fixes the following issue\n\n- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo-\n header (bsc#1260264).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLES-16.0-757",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21803-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:21803-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621803-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:21803-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-May/046810.html"
},
{
"category": "self",
"summary": "SUSE Bug 1260264",
"url": "https://bugzilla.suse.com/1260264"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33186 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33186/"
}
],
"title": "Security update for google-guest-agent",
"tracking": {
"current_release_date": "2026-05-17T09:09:33Z",
"generator": {
"date": "2026-05-17T09:09:33Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:21803-1",
"initial_release_date": "2026-05-17T09:09:33Z",
"revision_history": [
{
"date": "2026-05-17T09:09:33Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "google-guest-agent-20250506.01-160000.2.1.aarch64",
"product": {
"name": "google-guest-agent-20250506.01-160000.2.1.aarch64",
"product_id": "google-guest-agent-20250506.01-160000.2.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "google-guest-agent-20250506.01-160000.2.1.x86_64",
"product": {
"name": "google-guest-agent-20250506.01-160000.2.1.x86_64",
"product_id": "google-guest-agent-20250506.01-160000.2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 16.0",
"product": {
"name": "SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product": {
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server-sap"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "google-guest-agent-20250506.01-160000.2.1.aarch64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:google-guest-agent-20250506.01-160000.2.1.aarch64"
},
"product_reference": "google-guest-agent-20250506.01-160000.2.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-guest-agent-20250506.01-160000.2.1.x86_64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:google-guest-agent-20250506.01-160000.2.1.x86_64"
},
"product_reference": "google-guest-agent-20250506.01-160000.2.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-guest-agent-20250506.01-160000.2.1.aarch64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20250506.01-160000.2.1.aarch64"
},
"product_reference": "google-guest-agent-20250506.01-160000.2.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-guest-agent-20250506.01-160000.2.1.x86_64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20250506.01-160000.2.1.x86_64"
},
"product_reference": "google-guest-agent-20250506.01-160000.2.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-33186",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33186"
}
],
"notes": [
{
"category": "general",
"text": "gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, \"deny\" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback \"allow\" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific \"deny\" rules for canonical paths but allows other requests by default (a fallback \"allow\" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20250506.01-160000.2.1.aarch64",
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20250506.01-160000.2.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20250506.01-160000.2.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20250506.01-160000.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33186",
"url": "https://www.suse.com/security/cve/CVE-2026-33186"
},
{
"category": "external",
"summary": "SUSE Bug 1260085 for CVE-2026-33186",
"url": "https://bugzilla.suse.com/1260085"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20250506.01-160000.2.1.aarch64",
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20250506.01-160000.2.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20250506.01-160000.2.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20250506.01-160000.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20250506.01-160000.2.1.aarch64",
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20250506.01-160000.2.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20250506.01-160000.2.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20250506.01-160000.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-17T09:09:33Z",
"details": "important"
}
],
"title": "CVE-2026-33186"
}
]
}
SUSE-SU-2026:21827-1
Vulnerability from csaf_suse - Published: 2026-05-22 11:51 - Updated: 2026-05-22 11:51Summary
Security update for mcphost
Severity
Important
Notes
Title of the patch: Security update for mcphost
Description of the patch: This update for mcphost fixes the following issues
- CVE-2025-30153: github.com/getkin/kin-openapi/openapi3filter: Improper Handling of Highly Compressed Data (Data
Amplification) in github.com/getkin/kin-openapi/openapi3filter (bsc#1264762).
- CVE-2025-47913: golang.org/x/crypto/ssh/agent: client process termination when receiving an unexpected message type in
response to a key listing or (bsc#1265274).
- CVE-2025-47914: golang.org/x/crypto/ssh/agent: non validated message size can cause a panic due to an out of bounds
read (bsc#1265275).
- CVE-2025-58181: golang.org/x/crypto/ssh: invalidated number of mechanisms can cause unbounded memory consumption
(bsc#1253952).
- CVE-2026-32285: github.com/buger/jsonparser: denial of service via malformed JSON input (bsc#1264759).
- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo-
header (bsc#1260224).
Changes for mcphost:
- Updated to version 0.34.0
* Features:
- Upgrade charmbracelet libs to v2 (bubbletea, lipgloss, bubbles)
- Add Google Vertex AI support for Claude models
- Add new models.
* Fixes:
- Eliminate escape sequence leak from spinner tea.Program instances.
- Fix anthropic api issue.
- Convert JSON Schema draft-07 exclusive bounds to draft-04 format.
* Upgrade all dependencies to latest versions, resolve security issues
and to obtain Go 1.26 compatibility.
Patchnames: SUSE-SLES-16.0-794
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.3 (Medium)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.5 (Medium)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
8.1 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
28 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for mcphost",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for mcphost fixes the following issues\n\n- CVE-2025-30153: github.com/getkin/kin-openapi/openapi3filter: Improper Handling of Highly Compressed Data (Data\n Amplification) in github.com/getkin/kin-openapi/openapi3filter (bsc#1264762).\n- CVE-2025-47913: golang.org/x/crypto/ssh/agent: client process termination when receiving an unexpected message type in\n response to a key listing or (bsc#1265274).\n- CVE-2025-47914: golang.org/x/crypto/ssh/agent: non validated message size can cause a panic due to an out of bounds\n read (bsc#1265275).\n- CVE-2025-58181: golang.org/x/crypto/ssh: invalidated number of mechanisms can cause unbounded memory consumption\n (bsc#1253952).\n- CVE-2026-32285: github.com/buger/jsonparser: denial of service via malformed JSON input (bsc#1264759).\n- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo-\n header (bsc#1260224).\n\nChanges for mcphost:\n\n- Updated to version 0.34.0\n * Features:\n - Upgrade charmbracelet libs to v2 (bubbletea, lipgloss, bubbles)\n - Add Google Vertex AI support for Claude models\n - Add new models.\n * Fixes:\n - Eliminate escape sequence leak from spinner tea.Program instances.\n - Fix anthropic api issue.\n - Convert JSON Schema draft-07 exclusive bounds to draft-04 format.\n * Upgrade all dependencies to latest versions, resolve security issues\n and to obtain Go 1.26 compatibility.\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLES-16.0-794",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21827-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:21827-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621827-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:21827-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-May/046786.html"
},
{
"category": "self",
"summary": "SUSE Bug 1253952",
"url": "https://bugzilla.suse.com/1253952"
},
{
"category": "self",
"summary": "SUSE Bug 1260224",
"url": "https://bugzilla.suse.com/1260224"
},
{
"category": "self",
"summary": "SUSE Bug 1264759",
"url": "https://bugzilla.suse.com/1264759"
},
{
"category": "self",
"summary": "SUSE Bug 1264762",
"url": "https://bugzilla.suse.com/1264762"
},
{
"category": "self",
"summary": "SUSE Bug 1265274",
"url": "https://bugzilla.suse.com/1265274"
},
{
"category": "self",
"summary": "SUSE Bug 1265275",
"url": "https://bugzilla.suse.com/1265275"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-30153 page",
"url": "https://www.suse.com/security/cve/CVE-2025-30153/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47913 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47913/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47914 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47914/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-58181 page",
"url": "https://www.suse.com/security/cve/CVE-2025-58181/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-32285 page",
"url": "https://www.suse.com/security/cve/CVE-2026-32285/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33186 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33186/"
}
],
"title": "Security update for mcphost",
"tracking": {
"current_release_date": "2026-05-22T11:51:53Z",
"generator": {
"date": "2026-05-22T11:51:53Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:21827-1",
"initial_release_date": "2026-05-22T11:51:53Z",
"revision_history": [
{
"date": "2026-05-22T11:51:53Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "mcphost-0.34.0-160000.1.1.aarch64",
"product": {
"name": "mcphost-0.34.0-160000.1.1.aarch64",
"product_id": "mcphost-0.34.0-160000.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "mcphost-0.34.0-160000.1.1.ppc64le",
"product": {
"name": "mcphost-0.34.0-160000.1.1.ppc64le",
"product_id": "mcphost-0.34.0-160000.1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "mcphost-0.34.0-160000.1.1.s390x",
"product": {
"name": "mcphost-0.34.0-160000.1.1.s390x",
"product_id": "mcphost-0.34.0-160000.1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "mcphost-0.34.0-160000.1.1.x86_64",
"product": {
"name": "mcphost-0.34.0-160000.1.1.x86_64",
"product_id": "mcphost-0.34.0-160000.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 16.0",
"product": {
"name": "SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product": {
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server-sap"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "mcphost-0.34.0-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.aarch64"
},
"product_reference": "mcphost-0.34.0-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mcphost-0.34.0-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.ppc64le"
},
"product_reference": "mcphost-0.34.0-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mcphost-0.34.0-160000.1.1.s390x as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.s390x"
},
"product_reference": "mcphost-0.34.0-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mcphost-0.34.0-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.x86_64"
},
"product_reference": "mcphost-0.34.0-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mcphost-0.34.0-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.aarch64"
},
"product_reference": "mcphost-0.34.0-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mcphost-0.34.0-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.ppc64le"
},
"product_reference": "mcphost-0.34.0-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mcphost-0.34.0-160000.1.1.s390x as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.s390x"
},
"product_reference": "mcphost-0.34.0-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mcphost-0.34.0-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.x86_64"
},
"product_reference": "mcphost-0.34.0-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-30153",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-30153"
}
],
"notes": [
{
"category": "general",
"text": "kin-openapi is a Go project for handling OpenAPI files. Prior to 0.131.0, when validating a request with a multipart/form-data schema, if the OpenAPI schema allows it, an attacker can upload a crafted ZIP file (e.g., a ZIP bomb), causing the server to consume all available system memory. The root cause comes from the ZipFileBodyDecoder, which is registered automatically by the module (contrary to what the documentation says). This vulnerability is fixed in 0.131.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-30153",
"url": "https://www.suse.com/security/cve/CVE-2025-30153"
},
{
"category": "external",
"summary": "SUSE Bug 1264761 for CVE-2025-30153",
"url": "https://bugzilla.suse.com/1264761"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-22T11:51:53Z",
"details": "important"
}
],
"title": "CVE-2025-30153"
},
{
"cve": "CVE-2025-47913",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47913"
}
],
"notes": [
{
"category": "general",
"text": "SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47913",
"url": "https://www.suse.com/security/cve/CVE-2025-47913"
},
{
"category": "external",
"summary": "SUSE Bug 1253506 for CVE-2025-47913",
"url": "https://bugzilla.suse.com/1253506"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-22T11:51:53Z",
"details": "important"
}
],
"title": "CVE-2025-47913"
},
{
"cve": "CVE-2025-47914",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47914"
}
],
"notes": [
{
"category": "general",
"text": "SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47914",
"url": "https://www.suse.com/security/cve/CVE-2025-47914"
},
{
"category": "external",
"summary": "SUSE Bug 1253967 for CVE-2025-47914",
"url": "https://bugzilla.suse.com/1253967"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-22T11:51:53Z",
"details": "moderate"
}
],
"title": "CVE-2025-47914"
},
{
"cve": "CVE-2025-58181",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-58181"
}
],
"notes": [
{
"category": "general",
"text": "SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-58181",
"url": "https://www.suse.com/security/cve/CVE-2025-58181"
},
{
"category": "external",
"summary": "SUSE Bug 1253784 for CVE-2025-58181",
"url": "https://bugzilla.suse.com/1253784"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-22T11:51:53Z",
"details": "moderate"
}
],
"title": "CVE-2025-58181"
},
{
"cve": "CVE-2026-32285",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-32285"
}
],
"notes": [
{
"category": "general",
"text": "The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-32285",
"url": "https://www.suse.com/security/cve/CVE-2026-32285"
},
{
"category": "external",
"summary": "SUSE Bug 1261230 for CVE-2026-32285",
"url": "https://bugzilla.suse.com/1261230"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-22T11:51:53Z",
"details": "moderate"
}
],
"title": "CVE-2026-32285"
},
{
"cve": "CVE-2026-33186",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33186"
}
],
"notes": [
{
"category": "general",
"text": "gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, \"deny\" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback \"allow\" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific \"deny\" rules for canonical paths but allows other requests by default (a fallback \"allow\" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33186",
"url": "https://www.suse.com/security/cve/CVE-2026-33186"
},
{
"category": "external",
"summary": "SUSE Bug 1260085 for CVE-2026-33186",
"url": "https://bugzilla.suse.com/1260085"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:mcphost-0.34.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:mcphost-0.34.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-22T11:51:53Z",
"details": "important"
}
],
"title": "CVE-2026-33186"
}
]
}
SUSE-SU-2026:21849-1
Vulnerability from csaf_suse - Published: 2026-05-26 12:20 - Updated: 2026-05-26 12:20Summary
Security update for google-osconfig-agent
Severity
Important
Notes
Title of the patch: Security update for google-osconfig-agent
Description of the patch: This update for google-osconfig-agent fixes the following issues
- CVE-2023-45288: golang.org/x/net/http2: close connections when receiving too many headers (bsc#1236533).
- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo-
header (bsc#1260264).
Patchnames: SUSE-SLES-16.0-805
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:google-osconfig-agent-20250416.02-160000.3.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:google-osconfig-agent-20250416.02-160000.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:google-osconfig-agent-20250416.02-160000.3.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:google-osconfig-agent-20250416.02-160000.3.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
8.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:google-osconfig-agent-20250416.02-160000.3.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:google-osconfig-agent-20250416.02-160000.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:google-osconfig-agent-20250416.02-160000.3.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:google-osconfig-agent-20250416.02-160000.3.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for google-osconfig-agent",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for google-osconfig-agent fixes the following issues\n\n- CVE-2023-45288: golang.org/x/net/http2: close connections when receiving too many headers (bsc#1236533).\n- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo-\n header (bsc#1260264).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLES-16.0-805",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21849-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:21849-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621849-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:21849-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-June/046925.html"
},
{
"category": "self",
"summary": "SUSE Bug 1236533",
"url": "https://bugzilla.suse.com/1236533"
},
{
"category": "self",
"summary": "SUSE Bug 1260264",
"url": "https://bugzilla.suse.com/1260264"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-45288 page",
"url": "https://www.suse.com/security/cve/CVE-2023-45288/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33186 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33186/"
}
],
"title": "Security update for google-osconfig-agent",
"tracking": {
"current_release_date": "2026-05-26T12:20:11Z",
"generator": {
"date": "2026-05-26T12:20:11Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:21849-1",
"initial_release_date": "2026-05-26T12:20:11Z",
"revision_history": [
{
"date": "2026-05-26T12:20:11Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "google-osconfig-agent-20250416.02-160000.3.1.aarch64",
"product": {
"name": "google-osconfig-agent-20250416.02-160000.3.1.aarch64",
"product_id": "google-osconfig-agent-20250416.02-160000.3.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "google-osconfig-agent-20250416.02-160000.3.1.x86_64",
"product": {
"name": "google-osconfig-agent-20250416.02-160000.3.1.x86_64",
"product_id": "google-osconfig-agent-20250416.02-160000.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 16.0",
"product": {
"name": "SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16.0"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product": {
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server-sap"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "google-osconfig-agent-20250416.02-160000.3.1.aarch64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:google-osconfig-agent-20250416.02-160000.3.1.aarch64"
},
"product_reference": "google-osconfig-agent-20250416.02-160000.3.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-osconfig-agent-20250416.02-160000.3.1.x86_64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:google-osconfig-agent-20250416.02-160000.3.1.x86_64"
},
"product_reference": "google-osconfig-agent-20250416.02-160000.3.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-osconfig-agent-20250416.02-160000.3.1.aarch64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:google-osconfig-agent-20250416.02-160000.3.1.aarch64"
},
"product_reference": "google-osconfig-agent-20250416.02-160000.3.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-osconfig-agent-20250416.02-160000.3.1.x86_64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:google-osconfig-agent-20250416.02-160000.3.1.x86_64"
},
"product_reference": "google-osconfig-agent-20250416.02-160000.3.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-45288",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-45288"
}
],
"notes": [
{
"category": "general",
"text": "An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request\u0027s headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:google-osconfig-agent-20250416.02-160000.3.1.aarch64",
"SUSE Linux Enterprise Server 16.0:google-osconfig-agent-20250416.02-160000.3.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-osconfig-agent-20250416.02-160000.3.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-osconfig-agent-20250416.02-160000.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-45288",
"url": "https://www.suse.com/security/cve/CVE-2023-45288"
},
{
"category": "external",
"summary": "SUSE Bug 1221400 for CVE-2023-45288",
"url": "https://bugzilla.suse.com/1221400"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:google-osconfig-agent-20250416.02-160000.3.1.aarch64",
"SUSE Linux Enterprise Server 16.0:google-osconfig-agent-20250416.02-160000.3.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-osconfig-agent-20250416.02-160000.3.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-osconfig-agent-20250416.02-160000.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:google-osconfig-agent-20250416.02-160000.3.1.aarch64",
"SUSE Linux Enterprise Server 16.0:google-osconfig-agent-20250416.02-160000.3.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-osconfig-agent-20250416.02-160000.3.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-osconfig-agent-20250416.02-160000.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-26T12:20:11Z",
"details": "moderate"
}
],
"title": "CVE-2023-45288"
},
{
"cve": "CVE-2026-33186",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33186"
}
],
"notes": [
{
"category": "general",
"text": "gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, \"deny\" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback \"allow\" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific \"deny\" rules for canonical paths but allows other requests by default (a fallback \"allow\" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:google-osconfig-agent-20250416.02-160000.3.1.aarch64",
"SUSE Linux Enterprise Server 16.0:google-osconfig-agent-20250416.02-160000.3.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-osconfig-agent-20250416.02-160000.3.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-osconfig-agent-20250416.02-160000.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33186",
"url": "https://www.suse.com/security/cve/CVE-2026-33186"
},
{
"category": "external",
"summary": "SUSE Bug 1260085 for CVE-2026-33186",
"url": "https://bugzilla.suse.com/1260085"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:google-osconfig-agent-20250416.02-160000.3.1.aarch64",
"SUSE Linux Enterprise Server 16.0:google-osconfig-agent-20250416.02-160000.3.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-osconfig-agent-20250416.02-160000.3.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-osconfig-agent-20250416.02-160000.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:google-osconfig-agent-20250416.02-160000.3.1.aarch64",
"SUSE Linux Enterprise Server 16.0:google-osconfig-agent-20250416.02-160000.3.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-osconfig-agent-20250416.02-160000.3.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-osconfig-agent-20250416.02-160000.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-26T12:20:11Z",
"details": "important"
}
],
"title": "CVE-2026-33186"
}
]
}
SUSE-SU-2026:21870-1
Vulnerability from csaf_suse - Published: 2026-05-26 10:47 - Updated: 2026-05-26 10:47Summary
Security update for google-osconfig-agent
Severity
Important
Notes
Title of the patch: Security update for google-osconfig-agent
Description of the patch: This update for google-osconfig-agent fixes the following issue
- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo-
header (bsc#1260264).
Patchnames: SUSE-SLE-Micro-6.1-547
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Micro 6.1:google-osconfig-agent-20250416.02-slfo.1.1_3.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:google-osconfig-agent-20250416.02-slfo.1.1_3.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:google-osconfig-agent-20250416.02-slfo.1.1_3.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Micro 6.1:google-osconfig-agent-20250416.02-slfo.1.1_3.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for google-osconfig-agent",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for google-osconfig-agent fixes the following issue\n\n- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo-\n header (bsc#1260264).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLE-Micro-6.1-547",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21870-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:21870-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621870-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:21870-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-June/047018.html"
},
{
"category": "self",
"summary": "SUSE Bug 1260264",
"url": "https://bugzilla.suse.com/1260264"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-33186 page",
"url": "https://www.suse.com/security/cve/CVE-2026-33186/"
}
],
"title": "Security update for google-osconfig-agent",
"tracking": {
"current_release_date": "2026-05-26T10:47:01Z",
"generator": {
"date": "2026-05-26T10:47:01Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:21870-1",
"initial_release_date": "2026-05-26T10:47:01Z",
"revision_history": [
{
"date": "2026-05-26T10:47:01Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "google-osconfig-agent-20250416.02-slfo.1.1_3.1.aarch64",
"product": {
"name": "google-osconfig-agent-20250416.02-slfo.1.1_3.1.aarch64",
"product_id": "google-osconfig-agent-20250416.02-slfo.1.1_3.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "google-osconfig-agent-20250416.02-slfo.1.1_3.1.ppc64le",
"product": {
"name": "google-osconfig-agent-20250416.02-slfo.1.1_3.1.ppc64le",
"product_id": "google-osconfig-agent-20250416.02-slfo.1.1_3.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "google-osconfig-agent-20250416.02-slfo.1.1_3.1.s390x",
"product": {
"name": "google-osconfig-agent-20250416.02-slfo.1.1_3.1.s390x",
"product_id": "google-osconfig-agent-20250416.02-slfo.1.1_3.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "google-osconfig-agent-20250416.02-slfo.1.1_3.1.x86_64",
"product": {
"name": "google-osconfig-agent-20250416.02-slfo.1.1_3.1.x86_64",
"product_id": "google-osconfig-agent-20250416.02-slfo.1.1_3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Micro 6.1",
"product": {
"name": "SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sl-micro:6.1"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "google-osconfig-agent-20250416.02-slfo.1.1_3.1.aarch64 as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:google-osconfig-agent-20250416.02-slfo.1.1_3.1.aarch64"
},
"product_reference": "google-osconfig-agent-20250416.02-slfo.1.1_3.1.aarch64",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-osconfig-agent-20250416.02-slfo.1.1_3.1.ppc64le as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:google-osconfig-agent-20250416.02-slfo.1.1_3.1.ppc64le"
},
"product_reference": "google-osconfig-agent-20250416.02-slfo.1.1_3.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-osconfig-agent-20250416.02-slfo.1.1_3.1.s390x as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:google-osconfig-agent-20250416.02-slfo.1.1_3.1.s390x"
},
"product_reference": "google-osconfig-agent-20250416.02-slfo.1.1_3.1.s390x",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-osconfig-agent-20250416.02-slfo.1.1_3.1.x86_64 as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:google-osconfig-agent-20250416.02-slfo.1.1_3.1.x86_64"
},
"product_reference": "google-osconfig-agent-20250416.02-slfo.1.1_3.1.x86_64",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-33186",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-33186"
}
],
"notes": [
{
"category": "general",
"text": "gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, \"deny\" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback \"allow\" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific \"deny\" rules for canonical paths but allows other requests by default (a fallback \"allow\" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.1:google-osconfig-agent-20250416.02-slfo.1.1_3.1.aarch64",
"SUSE Linux Micro 6.1:google-osconfig-agent-20250416.02-slfo.1.1_3.1.ppc64le",
"SUSE Linux Micro 6.1:google-osconfig-agent-20250416.02-slfo.1.1_3.1.s390x",
"SUSE Linux Micro 6.1:google-osconfig-agent-20250416.02-slfo.1.1_3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-33186",
"url": "https://www.suse.com/security/cve/CVE-2026-33186"
},
{
"category": "external",
"summary": "SUSE Bug 1260085 for CVE-2026-33186",
"url": "https://bugzilla.suse.com/1260085"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.1:google-osconfig-agent-20250416.02-slfo.1.1_3.1.aarch64",
"SUSE Linux Micro 6.1:google-osconfig-agent-20250416.02-slfo.1.1_3.1.ppc64le",
"SUSE Linux Micro 6.1:google-osconfig-agent-20250416.02-slfo.1.1_3.1.s390x",
"SUSE Linux Micro 6.1:google-osconfig-agent-20250416.02-slfo.1.1_3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.1:google-osconfig-agent-20250416.02-slfo.1.1_3.1.aarch64",
"SUSE Linux Micro 6.1:google-osconfig-agent-20250416.02-slfo.1.1_3.1.ppc64le",
"SUSE Linux Micro 6.1:google-osconfig-agent-20250416.02-slfo.1.1_3.1.s390x",
"SUSE Linux Micro 6.1:google-osconfig-agent-20250416.02-slfo.1.1_3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-26T10:47:01Z",
"details": "important"
}
],
"title": "CVE-2026-33186"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…