SUSE-SU-2026:21376-1
Vulnerability from csaf_suse - Published: 2026-04-22 10:23 - Updated: 2026-04-22 10:23Summary
Security update for google-guest-agent
Severity
Important
Notes
Title of the patch: Security update for google-guest-agent
Description of the patch: This update for google-guest-agent fixes the following issues:
Update to version 20250506.01 (bsc#1243254, bsc#1243505).
Security issues fixed:
- CVE-2024-45337: golang.org/x/crypto/ssh: misuse of the ServerConfig.PublicKeyCallback callback can lead to
authorization bypass in applications (bsc#1234563).
- CVE-2023-45288: golang.org/x/net/http2: no limit set for number of HTTP/2 CONTINUATION frames that can be read for an
HTTP/2 request can lead to excessive CPU consumption and a DoS (bsc#1236533).
Other updates and bugfixes:
- Version 20250506.01:
* Make sure agent added connections are activated by NM (#534)
- Version 20250506.00:
* Wrap NSS cache refresh in a goroutine (#533)
- Version 20250502.01:
* Wicked: Only reload interfaces for which configurations are written or changed. (#524)
- Version 20250502.00:
* Add AuthorizedKeysCompat to windows packaging (#530)
* Remove error messages from gce_workload_cert_refresh and metadata script runner (#527)
* Update guest-logging-go dependency (#526)
* Add 'created-by' metadata, and pass it as option to logging library (#508)
* Revert "oslogin: Correctly handle newlines at the end of modified files (#520)" (#523)
* Re-enable disabled services if the core plugin was enabled (#522)
* Enable guest services on package upgrade (#519)
* oslogin: Correctly handle newlines at the end of modified files (#520)
* Fix core plugin path (#518)
* Fix package build issues (#517)
* Fix dependencies ran go mod tidy -v (#515)
* Fix debian build path (#514)
* Bundle compat metadata script runner binary in package (#513)
* Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512)
* Update startup/shutdown services to launch compat manager (#503)
* Bundle new gce metadata script runner binary in agent package (#502)
* Revert "Revert bundling new binaries in the package (#509)" (#511)
- Version 20250418.00:
* Re-enable disabled services if the core plugin was enabled (#521)
- Version 20250414.00:
* Add AuthorizedKeysCompat to windows packaging (#530)
* Remove error messages from gce_workload_cert_refresh and metadata script runner (#527)
* Update guest-logging-go dependency (#526)
* Add 'created-by' metadata, and pass it as option to logging library (#508)
* Revert "oslogin: Correctly handle newlines at the end of modified files (#520)" (#523)
* Re-enable disabled services if the core plugin was enabled (#522)
* Enable guest services on package upgrade (#519)
* oslogin: Correctly handle newlines at the end of modified files (#520)
* Fix core plugin path (#518)
* Fix package build issues (#517)
* Fix dependencies ran go mod tidy -v (#515)
* Fix debian build path (#514)
* Bundle compat metadata script runner binary in package (#513)
* Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512)
* Update startup/shutdown services to launch compat manager (#503)
* Bundle new gce metadata script runner binary in agent package (#502)
* Revert "Revert bundling new binaries in the package (#509)" (#511)
- Version 20250327.01 (bsc#1239763, bsc#1239866):
* Remove error messages from gce_workload_cert_refresh and
metadata script runner (#527)
- Version 20250327.00:
* Update guest-logging-go dependency (#526)
* Add 'created-by' metadata, and pass it as option to logging library (#508)
* Revert "oslogin: Correctly handle newlines at the end of
modified files (#520)" (#523)
* Re-enable disabled services if the core plugin was enabled (#522)
* Enable guest services on package upgrade (#519)
* oslogin: Correctly handle newlines at the end of modified files (#520)
* Fix core plugin path (#518)
* Fix package build issues (#517)
* Fix dependencies ran go mod tidy -v (#515)
* Fix debian build path (#514)
* Bundle compat metadata script runner binary in package (#513)
* Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512)
* Update startup/shutdown services to launch compat manager (#503)
* Bundle new gce metadata script runner binary in agent package (#502)
* Revert "Revert bundling new binaries in the package (#509)" (#511)
- Version 20250326.00:
* Re-enable disabled services if the core plugin was enabled (#521)
- Version 20250324.00:
* Enable guest services on package upgrade (#519)
* oslogin: Correctly handle newlines at the end of modified files (#520)
* Fix core plugin path (#518)
* Fix package build issues (#517)
* Fix dependencies ran go mod tidy -v (#515)
* Fix debian build path (#514)
* Bundle compat metadata script runner binary in package (#513)
* Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512)
* Update startup/shutdown services to launch compat manager (#503)
* Bundle new gce metadata script runner binary in agent package (#502)
* Revert "Revert bundling new binaries in the package (#509)" (#511)
* Revert bundling new binaries in the package (#509)
* Fix typo in windows build script (#501)
* Include core plugin binary for all packages (#500)
* Start packaging compat manager (#498)
* Start bundling ggactl_plugin_cleanup binary in all agent packages (#492)
* scripts: introduce a wrapper to locally build deb package (#490)
* Introduce compat-manager systemd unit (#497)
- Version 20250317.00:
* Revert "Revert bundling new binaries in the package (#509)" (#511)
* Revert bundling new binaries in the package (#509)
* Fix typo in windows build script (#501)
* Include core plugin binary for all packages (#500)
* Start packaging compat manager (#498)
* Start bundling ggactl_plugin_cleanup binary in all agent packages (#492)
* scripts: introduce a wrapper to locally build deb package (#490)
* Introduce compat-manager systemd unit (#497)
- Version 20250312.00:
* Revert bundling new binaries in the package (#509)
* Fix typo in windows build script (#501)
* Include core plugin binary for all packages (#500)
* Start packaging compat manager (#498)
* Start bundling ggactl_plugin_cleanup binary in all agent packages (#492)
* scripts: introduce a wrapper to locally build deb package (#490)
* Introduce compat-manager systemd unit (#497)
- Version 20250305.00:
* Revert bundling new binaries in the package (#509)
* Fix typo in windows build script (#501)
* Include core plugin binary for all packages (#500)
* Start packaging compat manager (#498)
* Start bundling ggactl_plugin_cleanup binary in all agent packages (#492)
* scripts: introduce a wrapper to locally build deb package (#490)
* Introduce compat-manager systemd unit (#497)
- Version 20250304.01:
* Fix typo in windows build script (#501)
- Version 20250214.01:
* Include core plugin binary for all packages (#500)
- Version 20250212.00:
* Start packaging compat manager (#498)
* Start bundling ggactl_plugin_cleanup binary in all agent packages (#492)
- Version 20250211.00:
* scripts: introduce a wrapper to locally build deb package (#490)
* Introduce compat-manager systemd unit (#497)
- Version 20250207.00:
* vlan: toggle vlan configuration in debian packaging (#495)
* vlan: move config out of unstable section (#494)
* Add clarification to comments regarding invalid NICs and the
`invalid` tag. (#493)
* Include interfaces in lists even if it has an invalid MAC. (#489)
* Fix windows package build failures (#491)
* vlan: don't index based on the vlan ID (#486)
* Revert PR #482 (#488)
* Remove Amy and Zach from OWNERS (#487)
* Skip interfaces in interfaceNames() instead of erroring if there is an (#482)
* Fix Debian packaging if guest agent manager is not checked out (#485)
- Version 20250204.02:
* force concourse to move version forward.
- Version 20250204.01:
* vlan: toggle vlan configuration in debian packaging (#495)
- Version 20250204.00:
* vlan: move config out of unstable section (#494)
* Add clarification to comments regarding invalid NICs and the
`invalid` tag. (#493)
- Version 20250203.01:
* Include interfaces in lists even if it has an invalid MAC. (#489)
- Version 20250203.00:
* Fix windows package build failures (#491)
* vlan: don't index based on the vlan ID (#486)
* Revert PR #482 (#488)
* Remove Amy and Zach from OWNERS (#487)
* Skip interfaces in interfaceNames() instead of erroring if there is an (#482)
* Fix Debian packaging if guest agent manager is not checked out (#485)
- Version 20250122.00:
* networkd(vlan): remove the interface in addition to config (#468)
* Implement support for vlan dynamic removal, update dhclient to
remove only if configured (#465)
* Update logging library (#479)
* Remove Pat from owners file. (#478)
Patchnames: SUSE-SLES-16.0-621
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.3 (Medium)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
8.1 (High)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
References
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for google-guest-agent",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for google-guest-agent fixes the following issues:\n\nUpdate to version 20250506.01 (bsc#1243254, bsc#1243505).\n\nSecurity issues fixed:\n\n- CVE-2024-45337: golang.org/x/crypto/ssh: misuse of the ServerConfig.PublicKeyCallback callback can lead to\n authorization bypass in applications (bsc#1234563).\n- CVE-2023-45288: golang.org/x/net/http2: no limit set for number of HTTP/2 CONTINUATION frames that can be read for an\n HTTP/2 request can lead to excessive CPU consumption and a DoS (bsc#1236533).\n\nOther updates and bugfixes:\n\n- Version 20250506.01:\n * Make sure agent added connections are activated by NM (#534)\n- Version 20250506.00:\n * Wrap NSS cache refresh in a goroutine (#533)\n- Version 20250502.01:\n * Wicked: Only reload interfaces for which configurations are written or changed. (#524)\n- Version 20250502.00:\n * Add AuthorizedKeysCompat to windows packaging (#530)\n * Remove error messages from gce_workload_cert_refresh and metadata script runner (#527)\n * Update guest-logging-go dependency (#526)\n * Add \u0027created-by\u0027 metadata, and pass it as option to logging library (#508)\n * Revert \"oslogin: Correctly handle newlines at the end of modified files (#520)\" (#523)\n * Re-enable disabled services if the core plugin was enabled (#522)\n * Enable guest services on package upgrade (#519)\n * oslogin: Correctly handle newlines at the end of modified files (#520)\n * Fix core plugin path (#518)\n * Fix package build issues (#517)\n * Fix dependencies ran go mod tidy -v (#515)\n * Fix debian build path (#514)\n * Bundle compat metadata script runner binary in package (#513)\n * Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512)\n * Update startup/shutdown services to launch compat manager (#503)\n * Bundle new gce metadata script runner binary in agent package (#502)\n * Revert \"Revert bundling new binaries in the package (#509)\" (#511)\n- Version 20250418.00:\n * Re-enable disabled services if the core plugin was enabled (#521)\n- Version 20250414.00:\n * Add AuthorizedKeysCompat to windows packaging (#530)\n * Remove error messages from gce_workload_cert_refresh and metadata script runner (#527)\n * Update guest-logging-go dependency (#526)\n * Add \u0027created-by\u0027 metadata, and pass it as option to logging library (#508)\n * Revert \"oslogin: Correctly handle newlines at the end of modified files (#520)\" (#523)\n * Re-enable disabled services if the core plugin was enabled (#522)\n * Enable guest services on package upgrade (#519)\n * oslogin: Correctly handle newlines at the end of modified files (#520)\n * Fix core plugin path (#518)\n * Fix package build issues (#517)\n * Fix dependencies ran go mod tidy -v (#515)\n * Fix debian build path (#514)\n * Bundle compat metadata script runner binary in package (#513)\n * Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512)\n * Update startup/shutdown services to launch compat manager (#503)\n * Bundle new gce metadata script runner binary in agent package (#502)\n * Revert \"Revert bundling new binaries in the package (#509)\" (#511)\n- Version 20250327.01 (bsc#1239763, bsc#1239866):\n * Remove error messages from gce_workload_cert_refresh and\n metadata script runner (#527)\n- Version 20250327.00:\n * Update guest-logging-go dependency (#526)\n * Add \u0027created-by\u0027 metadata, and pass it as option to logging library (#508)\n * Revert \"oslogin: Correctly handle newlines at the end of\n modified files (#520)\" (#523)\n * Re-enable disabled services if the core plugin was enabled (#522)\n * Enable guest services on package upgrade (#519)\n * oslogin: Correctly handle newlines at the end of modified files (#520)\n * Fix core plugin path (#518)\n * Fix package build issues (#517)\n * Fix dependencies ran go mod tidy -v (#515)\n * Fix debian build path (#514)\n * Bundle compat metadata script runner binary in package (#513)\n * Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512)\n * Update startup/shutdown services to launch compat manager (#503)\n * Bundle new gce metadata script runner binary in agent package (#502)\n * Revert \"Revert bundling new binaries in the package (#509)\" (#511)\n- Version 20250326.00:\n * Re-enable disabled services if the core plugin was enabled (#521)\n- Version 20250324.00:\n * Enable guest services on package upgrade (#519)\n * oslogin: Correctly handle newlines at the end of modified files (#520)\n * Fix core plugin path (#518)\n * Fix package build issues (#517)\n * Fix dependencies ran go mod tidy -v (#515)\n * Fix debian build path (#514)\n * Bundle compat metadata script runner binary in package (#513)\n * Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512)\n * Update startup/shutdown services to launch compat manager (#503)\n * Bundle new gce metadata script runner binary in agent package (#502)\n * Revert \"Revert bundling new binaries in the package (#509)\" (#511)\n * Revert bundling new binaries in the package (#509)\n * Fix typo in windows build script (#501)\n * Include core plugin binary for all packages (#500)\n * Start packaging compat manager (#498)\n * Start bundling ggactl_plugin_cleanup binary in all agent packages (#492)\n * scripts: introduce a wrapper to locally build deb package (#490)\n * Introduce compat-manager systemd unit (#497)\n- Version 20250317.00:\n * Revert \"Revert bundling new binaries in the package (#509)\" (#511)\n * Revert bundling new binaries in the package (#509)\n * Fix typo in windows build script (#501)\n * Include core plugin binary for all packages (#500)\n * Start packaging compat manager (#498)\n * Start bundling ggactl_plugin_cleanup binary in all agent packages (#492)\n * scripts: introduce a wrapper to locally build deb package (#490)\n * Introduce compat-manager systemd unit (#497)\n- Version 20250312.00:\n * Revert bundling new binaries in the package (#509)\n * Fix typo in windows build script (#501)\n * Include core plugin binary for all packages (#500)\n * Start packaging compat manager (#498)\n * Start bundling ggactl_plugin_cleanup binary in all agent packages (#492)\n * scripts: introduce a wrapper to locally build deb package (#490)\n * Introduce compat-manager systemd unit (#497)\n- Version 20250305.00:\n * Revert bundling new binaries in the package (#509)\n * Fix typo in windows build script (#501)\n * Include core plugin binary for all packages (#500)\n * Start packaging compat manager (#498)\n * Start bundling ggactl_plugin_cleanup binary in all agent packages (#492)\n * scripts: introduce a wrapper to locally build deb package (#490)\n * Introduce compat-manager systemd unit (#497)\n- Version 20250304.01:\n * Fix typo in windows build script (#501)\n- Version 20250214.01:\n * Include core plugin binary for all packages (#500)\n- Version 20250212.00:\n * Start packaging compat manager (#498)\n * Start bundling ggactl_plugin_cleanup binary in all agent packages (#492)\n- Version 20250211.00:\n * scripts: introduce a wrapper to locally build deb package (#490)\n * Introduce compat-manager systemd unit (#497)\n- Version 20250207.00:\n * vlan: toggle vlan configuration in debian packaging (#495)\n * vlan: move config out of unstable section (#494)\n * Add clarification to comments regarding invalid NICs and the\n `invalid` tag. (#493)\n * Include interfaces in lists even if it has an invalid MAC. (#489)\n * Fix windows package build failures (#491)\n * vlan: don\u0027t index based on the vlan ID (#486)\n * Revert PR #482 (#488)\n * Remove Amy and Zach from OWNERS (#487)\n * Skip interfaces in interfaceNames() instead of erroring if there is an (#482)\n * Fix Debian packaging if guest agent manager is not checked out (#485)\n- Version 20250204.02:\n * force concourse to move version forward.\n- Version 20250204.01:\n * vlan: toggle vlan configuration in debian packaging (#495)\n- Version 20250204.00:\n * vlan: move config out of unstable section (#494)\n * Add clarification to comments regarding invalid NICs and the\n `invalid` tag. (#493)\n- Version 20250203.01:\n * Include interfaces in lists even if it has an invalid MAC. (#489)\n- Version 20250203.00:\n * Fix windows package build failures (#491)\n * vlan: don\u0027t index based on the vlan ID (#486)\n * Revert PR #482 (#488)\n * Remove Amy and Zach from OWNERS (#487)\n * Skip interfaces in interfaceNames() instead of erroring if there is an (#482)\n * Fix Debian packaging if guest agent manager is not checked out (#485)\n- Version 20250122.00:\n * networkd(vlan): remove the interface in addition to config (#468)\n * Implement support for vlan dynamic removal, update dhclient to\n remove only if configured (#465)\n * Update logging library (#479)\n * Remove Pat from owners file. (#478)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLES-16.0-621",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21376-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:21376-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621376-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:21376-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-April/046065.html"
},
{
"category": "self",
"summary": "SUSE Bug 1234563",
"url": "https://bugzilla.suse.com/1234563"
},
{
"category": "self",
"summary": "SUSE Bug 1236533",
"url": "https://bugzilla.suse.com/1236533"
},
{
"category": "self",
"summary": "SUSE Bug 1239763",
"url": "https://bugzilla.suse.com/1239763"
},
{
"category": "self",
"summary": "SUSE Bug 1239866",
"url": "https://bugzilla.suse.com/1239866"
},
{
"category": "self",
"summary": "SUSE Bug 1243254",
"url": "https://bugzilla.suse.com/1243254"
},
{
"category": "self",
"summary": "SUSE Bug 1243505",
"url": "https://bugzilla.suse.com/1243505"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-45288 page",
"url": "https://www.suse.com/security/cve/CVE-2023-45288/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45337 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45337/"
}
],
"title": "Security update for google-guest-agent",
"tracking": {
"current_release_date": "2026-04-22T10:23:05Z",
"generator": {
"date": "2026-04-22T10:23:05Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:21376-1",
"initial_release_date": "2026-04-22T10:23:05Z",
"revision_history": [
{
"date": "2026-04-22T10:23:05Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "google-guest-agent-20250506.01-160000.1.1.aarch64",
"product": {
"name": "google-guest-agent-20250506.01-160000.1.1.aarch64",
"product_id": "google-guest-agent-20250506.01-160000.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "google-guest-agent-20250506.01-160000.1.1.x86_64",
"product": {
"name": "google-guest-agent-20250506.01-160000.1.1.x86_64",
"product_id": "google-guest-agent-20250506.01-160000.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 16.0",
"product": {
"name": "SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product": {
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server-sap"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "google-guest-agent-20250506.01-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:google-guest-agent-20250506.01-160000.1.1.aarch64"
},
"product_reference": "google-guest-agent-20250506.01-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-guest-agent-20250506.01-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:google-guest-agent-20250506.01-160000.1.1.x86_64"
},
"product_reference": "google-guest-agent-20250506.01-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-guest-agent-20250506.01-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20250506.01-160000.1.1.aarch64"
},
"product_reference": "google-guest-agent-20250506.01-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "google-guest-agent-20250506.01-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20250506.01-160000.1.1.x86_64"
},
"product_reference": "google-guest-agent-20250506.01-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-45288",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-45288"
}
],
"notes": [
{
"category": "general",
"text": "An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request\u0027s headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20250506.01-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20250506.01-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20250506.01-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20250506.01-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-45288",
"url": "https://www.suse.com/security/cve/CVE-2023-45288"
},
{
"category": "external",
"summary": "SUSE Bug 1221400 for CVE-2023-45288",
"url": "https://bugzilla.suse.com/1221400"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20250506.01-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20250506.01-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20250506.01-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20250506.01-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20250506.01-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20250506.01-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20250506.01-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20250506.01-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-22T10:23:05Z",
"details": "moderate"
}
],
"title": "CVE-2023-45288"
},
{
"cve": "CVE-2024-45337",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45337"
}
],
"notes": [
{
"category": "general",
"text": "Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that \"A call to this function does not guarantee that the key offered is in fact used to authenticate.\" Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20250506.01-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20250506.01-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20250506.01-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20250506.01-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45337",
"url": "https://www.suse.com/security/cve/CVE-2024-45337"
},
{
"category": "external",
"summary": "SUSE Bug 1234482 for CVE-2024-45337",
"url": "https://bugzilla.suse.com/1234482"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20250506.01-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20250506.01-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20250506.01-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20250506.01-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20250506.01-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:google-guest-agent-20250506.01-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20250506.01-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:google-guest-agent-20250506.01-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-22T10:23:05Z",
"details": "important"
}
],
"title": "CVE-2024-45337"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…