suse-sles-15-sp5-v20260425-x86_64-ltd CVE scan on 2026-04-25T03:17:26+00:00

CVE-2024-12087 Severity: Important CVSS3 score: 8.8

Description: A path traversal vulnerability exists in rsync. It stems from behavior enabled by the `--inc-recursive` option, a default-enabled option for many client options and can be enabled by the server even if not explicitly enabled by the client. When using the `--inc-recursive` option, a lack of proper symlink verification coupled with deduplication checks occurring on a per-file-list basis could allow a server to write files outside of the client's intended destination directory. A malicious server could write malicious files to arbitrary locations named after valid directories/paths on the client.

Packages affected:

sle-module-basesystem-release == 15.5 (version in image is 15.5-150500.43.2).
rsync > 0-0 (version in image is 3.2.3-150400.3.26.1).

CVE-2024-6174 Severity: Important CVSS3 score: 8.8

Description: When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration.

Packages affected:

sle-module-public-cloud-release == 15.5 (version in image is 15.5-150500.43.2).
cloud-init > 0-0 (version in image is 23.3-150100.8.85.4).

CVE-2026-27820 Severity: Important CVSS3 score: 8.8

Description: zlib is a Ruby interface for the zlib compression/decompression library. Versions 3.0.0 and below, 3.1.0, 3.1.1, 3.2.0 and 3.2.1 contain a buffer overflow vulnerability in the Zlib::GzipReader. The zstream_buffer_ungets function prepends caller-provided bytes ahead of previously produced output but fails to guarantee the backing Ruby string has enough capacity before the memmove shifts the existing data. This can lead to memory corruption when the buffer length exceeds capacity. This issue has been fixed in versions 3.0.1, 3.1.2 and 3.2.3.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libruby2_5-2_5 > 0-0 (version in image is 2.5.9-150000.4.54.1).

CVE-2026-34714 Severity: Important CVSS3 score: 8.6

Description: Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
vim > 0-0 (version in image is 9.1.1629-150500.20.38.1).

CVE-2026-33747 Severity: Important CVSS3 score: 8.4

Description: BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context. The issue has been fixed in v0.28.1. The vulnerability requires using an untrusted BuildKit frontend set with `#syntax` or `--build-arg BUILDKIT_SYNTAX`. Using these options with a well-known frontend image like `docker/dockerfile` is not affected.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
docker > 0-0 (version in image is 28.5.1_ce-150000.238.1).

CVE-2024-47220 Severity: Important CVSS3 score: 8.2

Description: An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header and a Transfer-Encoding header, e.g., "GET /admin HTTP/1.1\r\n" inside of a "POST /user HTTP/1.1\r\n" request. NOTE: the supplier's position is "Webrick should not be used in production."

Packages affected:

sle-module-basesystem-release == 15.5 (version in image is 15.5-150500.43.2).
libruby2_5-2_5 > 0-0 (version in image is 2.5.9-150000.4.54.1).

CVE-2026-1299 Severity: Important CVSS3 score: 8.2

Description: The email module, specifically the "BytesGenerator" class, didn't properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using "LiteralHeader" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in "BytesGenerator".

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libpython3_11-1_0 < 3.11.15-150400.9.80.1 (version in image is 3.11.14-150400.9.69.1).

CVE-2026-34982 Severity: Important CVSS3 score: 8.2

Description: Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
vim > 0-0 (version in image is 9.1.1629-150500.20.38.1).

CVE-2024-56326 Severity: Important CVSS3 score: 8.1

Description: Jinja is an extensible templating engine. Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's format method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox. This vulnerability is fixed in 3.1.5.

Packages affected:

sle-module-basesystem-release == 15.5 (version in image is 15.5-150500.43.2).
python3-Jinja2 > 0-0 (version in image is 2.10.1-150000.3.21.1).

CVE-2026-33186 Severity: Important CVSS3 score: 8.1

Description: gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
containerd > 0-0 (version in image is 1.7.29-150000.128.1).

CVE-2026-33416 Severity: Important CVSS3 score: 8.1

Description: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, `png_set_tRNS` and `png_set_PLTE` each alias a heap-allocated buffer between `png_struct` and `png_info`, sharing a single allocation across two structs with independent lifetimes. The `trans_alpha` aliasing has been present since at least libpng 1.0, and the `palette` aliasing since at least 1.2.1. Both affect all prior release lines `png_set_tRNS` sets `png_ptr->trans_alpha = info_ptr->trans_alpha` (256-byte buffer) and `png_set_PLTE` sets `info_ptr->palette = png_ptr->palette` (768-byte buffer). In both cases, calling `png_free_data` (with `PNG_FREE_TRNS` or `PNG_FREE_PLTE`) frees the buffer through `info_ptr` while the corresponding `png_ptr` pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to `png_set_tRNS` or `png_set_PLTE` has the same effect, because both functions call `png_free_data` internally before reallocating the `info_ptr` buffer. Version 1.6.56 fixes the issue.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libpng16-16 < 1.6.34-150000.3.22.1 (version in image is 1.6.34-150000.3.12.1).

CVE-2026-6100 Severity: Important CVSS3 score: 8.1

Description: Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python3 > 0-0 (version in image is 3.6.15-150300.10.103.1).

CVE-2024-56737 Severity: Important CVSS3 score: 7.8

Description: GNU GRUB (aka GRUB2) through 2.12 has a heap-based buffer overflow in fs/hfs.c via crafted sblock data in an HFS filesystem.

Packages affected:

sle-module-basesystem-release == 15.5 (version in image is 15.5-150500.43.2).
grub2 > 0-0 (version in image is 2.06-150500.29.59.1).

CVE-2025-45582 Severity: Important CVSS3 score: 7.8

Description: GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each "tar xf" in its Security Rules of Thumb; however, third-party advice leads users to run "tar xf" more than once into the same directory.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
tar < 1.34-150000.3.37.1 (version in image is 1.34-150000.3.34.1).

CVE-2026-0861 Severity: Important CVSS3 score: 7.8

Description: Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption.Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc.Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
glibc < 2.31-150300.98.1 (version in image is 2.31-150300.95.1).

CVE-2026-23554 Severity: Important CVSS3 score: 7.8

Description: The Intel EPT paging code uses an optimization to defer flushing of any cachedEPT state until the p2m lock is dropped, so that multiple modifications doneunder the same locked region only issue a single flush.Freeing of paging structures however is not deferred until the flushing isdone, and can result in freed pages transiently being present in cached state.Such stale entries can point to memory ranges not owned by the guest, thusallowing access to unintended memory regions.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
xen-libs < 4.17.6_06-150500.3.62.2 (version in image is 4.17.6_02-150500.3.56.1).

CVE-2026-4105 Severity: Important CVSS3 score: 7.8

Description: A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This allows the attacker to invoke methods on the privileged object, leading to the execution of arbitrary commands with root privileges on the host system.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libsystemd0 < 249.17-150400.8.55.1 (version in image is 249.17-150400.8.49.2).

CVE-2026-6846 Severity: Important CVSS3 score: 7.8

Description: A flaw was found in binutils. A heap-buffer-overflow vulnerability exists when processing a specially crafted XCOFF (Extended Common Object File Format) object file during linking. A local attacker could trick a user into processing this malicious file, which could lead to arbitrary code execution, allowing the attacker to run unauthorized commands, or cause a denial of service, making the system unavailable.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2026-24049 Severity: Important CVSS3 score: 7.7

Description: wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python311-wheel < 0.40.0-150400.13.10.1 (version in image is 0.40.0-150400.13.7.4).

CVE-2025-11468 Severity: Important CVSS3 score: 7.5

Description: When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libpython3_11-1_0 < 3.11.15-150400.9.80.1 (version in image is 3.11.14-150400.9.69.1).

CVE-2025-27144 Severity: Important CVSS3 score: 7.5

Description: Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As a workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of `.` characters.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
containerd > 0-0 (version in image is 1.7.29-150000.128.1).

CVE-2025-47913 Severity: Important CVSS3 score: 7.5

Description: SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
docker > 0-0 (version in image is 28.5.1_ce-150000.238.1).

CVE-2025-69223 Severity: Important CVSS3 score: 7.5

Description: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust the host's memory. This issue is fixed in version 3.13.3.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python311-aiohttp < 3.9.3-150400.10.36.1 (version in image is 3.9.3-150400.10.33.1).

CVE-2025-69227 Severity: Important CVSS3 score: 7.5

Description: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting in a DoS attack when processing a POST body. If optimizations are enabled (-O or PYTHONOPTIMIZE=1), and the application includes a handler that uses the Request.post() method, then an attacker may be able to execute a DoS attack with a specially crafted message. This issue is fixed in version 3.13.3.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python311-aiohttp < 3.9.3-150400.10.36.1 (version in image is 3.9.3-150400.10.33.1).

CVE-2025-69228 Severity: Important CVSS3 score: 7.5

Description: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. If an application includes a handler that uses the Request.post() method, an attacker may be able to freeze the server by exhausting the memory. This issue is fixed in version 3.13.3.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python311-aiohttp < 3.9.3-150400.10.36.1 (version in image is 3.9.3-150400.10.33.1).

CVE-2025-69229 Severity: Important CVSS3 score: 7.5

Description: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. If an application makes use of the request.read() method in an endpoint, it may be possible for an attacker to cause the server to spend a moderate amount of blocking CPU time (e.g. 1 second) while processing the request. This could potentially lead to DoS as the server would be unable to handle other requests during that time. This issue is fixed in version 3.13.3.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python311-aiohttp < 3.9.3-150400.10.36.1 (version in image is 3.9.3-150400.10.33.1).

CVE-2026-0672 Severity: Important CVSS3 score: 7.5

Description: When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libpython3_11-1_0 < 3.11.15-150400.9.80.1 (version in image is 3.11.14-150400.9.69.1).

CVE-2026-1519 Severity: Important CVSS3 score: 7.5

Description: If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries).This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
bind-utils < 9.16.50-150500.8.35.1 (version in image is 9.16.50-150500.8.32.1).

CVE-2026-1965 Severity: Important CVSS3 score: 7.5

Description: libcurl can in some circumstances reuse the wrong connection when asked to doan Negotiate-authenticated HTTP or HTTPS request.libcurl features a pool of recent connections so that subsequent requests canreuse an existing connection to avoid overhead.When reusing a connection a range of criterion must first be met. Due to alogical error in the code, a request that was issued by an application couldwrongfully reuse an existing connection to the same server that wasauthenticated using different credentials. One underlying reason being thatNegotiate sometimes authenticates *connections* and not *requests*, contraryto how HTTP is designed to work.An application that allows Negotiate authentication to a server (that respondswanting Negotiate) with `user1:password1` and then does another operation tothe same server also using Negotiate but with `user2:password2` (while theprevious connection is still alive) - the second request wrongly reused thesame connection and since it then sees that the Negotiate negotiation isalready made, it just sends the request over that connection thinking it usesthe user2 credentials when it is in fact still using the connectionauthenticated for user1...The set of authentication methods to use is set with `CURLOPT_HTTPAUTH`.Applications can disable libcurl's reuse of connections and thus mitigate thisproblem, by using one of the following libcurl options to alter howconnections are or are not reused: `CURLOPT_FRESH_CONNECT`,`CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using thecurl_multi API).

Packages affected:

sle-module-basesystem-release == 15.5 (version in image is 15.5-150500.43.2).
libcurl4 < 8.14.1-150400.5.80.1 (version in image is 8.14.1-150400.5.72.1).

CVE-2026-21226 Severity: Important CVSS3 score: 7.5

Description: Unknown.

Packages affected:

sle-module-public-cloud-release == 15.5 (version in image is 15.5-150500.43.2).
python311-azure-core < 1.30.0-150400.11.6.1 (version in image is 1.30.0-150400.11.3.1).

CVE-2026-23490 Severity: Important CVSS3 score: 7.5

Description: pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python3-pyasn1 < 0.4.2-150000.3.13.1 (version in image is 0.4.2-150000.3.8.1).

CVE-2026-27135 Severity: Important CVSS3 score: 7.5

Description: nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libnghttp2-14 < 1.40.0-150200.22.1 (version in image is 1.40.0-150200.17.1).

CVE-2026-28388 Severity: Important CVSS3 score: 7.5

Description: Issue summary: When a delta CRL that contains a Delta CRL Indicator extensionis processed a NULL pointer dereference might happen if the required CRLNumber extension is missing.Impact summary: A NULL pointer dereference can trigger a crash whichleads to a Denial of Service for an application.When CRL processing and delta CRL processing is enabled during X.509certificate verification, the delta CRL processing does not checkwhether the CRL Number extension is NULL before dereferencing it.When a malformed delta CRL file is being processed, this parametercan be NULL, causing a NULL pointer dereference.Exploiting this issue requires the X509_V_FLAG_USE_DELTAS flag to be enabled inthe verification context, the certificate being verified to contain afreshestCRL extension or the base CRL to have the EXFLAG_FRESHEST flag set, andan attacker to provide a malformed CRL to an application that processes it.The vulnerability is limited to Denial of Service and cannot be escalated toachieve code execution or memory disclosure. For that reason the issue wasassessed as Low severity according to our Security Policy.The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,as the affected code is outside the OpenSSL FIPS module boundary.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libopenssl1_1 < 1.1.1l-150500.17.51.1 (version in image is 1.1.1l-150500.17.43.1).

CVE-2026-30922 Severity: Important CVSS3 score: 7.5

Description: pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.3, the `pyasn1` library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing thousands of nested `SEQUENCE` (`0x30`) or `SET` (`0x31`) tags with "Indefinite Length" (`0x80`) markers. This forces the decoder to recursively call itself until the Python interpreter crashes with a `RecursionError` or consumes all available memory (OOM), crashing the host application. This is a distinct vulnerability from CVE-2026-23490 (which addressed integer overflows in OID decoding). The fix for CVE-2026-23490 (`MAX_OID_ARC_CONTINUATION_OCTETS`) does not mitigate this recursion issue. Version 0.6.3 fixes this specific issue.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python3-pyasn1 < 0.4.2-150000.3.16.1 (version in image is 0.4.2-150000.3.8.1).

CVE-2026-32597 Severity: Important CVSS3 score: 7.5

Description: PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 ?4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python3-PyJWT < 2.4.0-150200.3.11.1 (version in image is 2.4.0-150200.3.8.1).

CVE-2026-32776 Severity: Important CVSS3 score: 7.5

Description: libexpat before 2.7.5 allows a NULL pointer dereference with empty external parameter entity content.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libexpat1 < 2.7.1-150400.3.37.1 (version in image is 2.7.1-150400.3.31.1).

CVE-2026-32777 Severity: Important CVSS3 score: 7.5

Description: libexpat before 2.7.5 allows an infinite loop while parsing DTD content.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libexpat1 < 2.7.1-150400.3.37.1 (version in image is 2.7.1-150400.3.31.1).

CVE-2026-33748 Severity: Important CVSS3 score: 7.5

Description: BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, insufficient validation of Git URL fragment subdir components may allow access to files outside the checked-out Git repository root. Possible access is limited to files on the same mounted filesystem. The issue has been fixed in version v0.28.1 The issue affects only builds that use Git URLs with a subpath component. As a workaround, avoid building Dockerfiles from untrusted sources or using the subdir component from an untrusted Git repository where the subdir component could point to a symlink.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
docker > 0-0 (version in image is 28.5.1_ce-150000.238.1).

CVE-2026-35385 Severity: Important CVSS3 score: 7.5

Description: In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
openssh > 0-0 (version in image is 8.4p1-150300.3.57.1).

CVE-2026-4046 Severity: Important CVSS3 score: 7.5

Description: The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application.This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
glibc > 0-0 (version in image is 2.31-150300.95.1).

CVE-2026-4224 Severity: Important CVSS3 score: 7.5

Description: When an Expat parser with a registered ElementDeclHandler parses an inlinedocument type definition containing a deeply nested content model a C stackoverflow occurs.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libpython3_11-1_0 < 3.11.15-150400.9.85.1 (version in image is 3.11.14-150400.9.69.1).

CVE-2026-34743 Severity: Important CVSS3 score: 7.4

Description: XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
liblzma5 > 0-0 (version in image is 5.2.3-150000.4.7.1).

CVE-2026-35535 Severity: Important CVSS3 score: 7.4

Description: In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not a fatal error and can lead to privilege escalation.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
sudo < 1.9.12p1-150500.7.16.1 (version in image is 1.9.12p1-150500.7.13.1).

CVE-2026-31789 Severity: Important CVSS3 score: 7.3

Description: Issue summary: Converting an excessively large OCTET STRING value toa hexadecimal string leads to a heap buffer overflow on 32 bit platforms.Impact summary: A heap buffer overflow may lead to a crash or possiblyan attacker controlled code execution or other undefined behavior.If an attacker can supply a crafted X.509 certificate with an excessivelylarge OCTET STRING value in extensions such as the Subject Key Identifier(SKID) or Authority Key Identifier (AKID) which are being converted to hex,the size of the buffer needed for the result is calculated as multiplicationof the input length by 3. On 32 bit platforms, this multiplication may overflowresulting in the allocation of a smaller buffer and a heap buffer overflow.Applications and services that print or log contents of untrusted X.509certificates are vulnerable to this issue. As the certificates would haveto have sizes of over 1 Gigabyte, printing or logging such certificatesis a fairly unlikely operation and only 32 bit platforms are affected,this issue was assigned Low severity.The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by thisissue, as the affected code is outside the OpenSSL FIPS module boundary.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libopenssl1_1 < 1.1.1l-150500.17.51.1 (version in image is 1.1.1l-150500.17.43.1).

CVE-2026-41035 Severity: Important CVSS3 score: 7.2

Description: In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
rsync > 0-0 (version in image is 3.2.3-150400.3.26.1).

CVE-2026-4786 Severity: Important CVSS3 score: 7.1

Description: Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open()" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python3 > 0-0 (version in image is 3.6.15-150300.10.103.1).

CVE-2026-25646 Severity: Important CVSS3 score: 7.0

Description: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libpng16-16 < 1.6.34-150000.3.19.1 (version in image is 1.6.34-150000.3.12.1).

CVE-2026-27459 Severity: Important CVSS3 score: 7.0

Description: pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 22.0.0 and prior to version 26.0.0, if a user provided callback to `set_cookie_generate_callback` returned a cookie value greater than 256 bytes, pyOpenSSL would overflow an OpenSSL provided buffer. Starting in version 26.0.0, cookie values that are too long are now rejected.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python311-pyOpenSSL < 23.2.0-150400.3.13.1 (version in image is 23.2.0-150400.3.10.1).

CVE-2026-4878 Severity: Important CVSS3 score: 7.0

Description: A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the `cap_set_file()` function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libcap2 < 2.63-150400.3.6.1 (version in image is 2.63-150400.3.3.1).

CVE-2026-4519 Severity: Moderate CVSS3 score: 6.9

Description: The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libpython3_11-1_0 < 3.11.15-150400.9.85.1 (version in image is 3.11.14-150400.9.69.1).

CVE-2026-5958 Severity: Moderate CVSS3 score: 6.9

Description: When sed is invoked with both -i (in-place edit) and --follow-symlinks, the function open_next_file() performs two separate, non-atomic filesystem operations on the same path: 1. resolves symlink to its target and stores the resolved path for determining when output is written,2. opens the original symlink path (not the resolved one) to read the file. Between these two calls there is a race window. If an attacker atomically replaces the symlink with a different target during that window, sed will: read content from the new (attacker-chosen) symlink target and write the processed result to the path recorded in step 1. This can lead to arbitrary file overwrite with attacker-controlled content in the context of the sed process.This issue was fixed in version 4.10.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
sed > 0-0 (version in image is 4.4-150300.13.3.1).

CVE-2025-15444 Severity: Moderate CVSS3 score: 6.8

Description: Crypt::Sodium::XS module versions prior to 0.000042, for Perl, include a vulnerable version of libsodiumlibsodium <= 1.0.20 or a version of libsodium released before December 30, 2025 contains a vulnerability documented as CVE-2025-69277 https://www.cve.org/CVERecord?id=CVE-2025-69277 .The libsodium vulnerability states:In atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group.0.000042 includes a version of libsodium updated to 1.0.20-stable, released January 3, 2026, which includes a fix for the vulnerability.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libsodium23 > 0-0 (version in image is 1.0.18-150000.4.11.1).

CVE-2025-6069 Severity: Moderate CVSS3 score: 6.8

Description: The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python311 > 0-0 (version in image is 3.11.14-150400.9.69.1).

CVE-2026-22801 Severity: Moderate CVSS3 score: 6.8

Description: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libpng16-16 < 1.6.34-150000.3.19.1 (version in image is 1.6.34-150000.3.12.1).

CVE-2026-5928 Severity: Moderate CVSS3 score: 6.8

Description: Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash.A bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program crash may happen in cases where fp->_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
glibc > 0-0 (version in image is 2.31-150300.95.1).

CVE-2024-2312 Severity: Moderate CVSS3 score: 6.7

Description: GRUB2 does not call the module fini functions on exit, leading to Debian/Ubuntu's peimage GRUB2 module leaving UEFI system table hooks after exit. This lead to a use-after-free condition, and could possibly lead to secure boot bypass.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
shim < 16.1-150300.4.31.3 (version in image is 15.8-150300.4.23.1).

CVE-2024-45774 Severity: Moderate CVSS3 score: 6.7

Description: A flaw was found in grub2. A specially crafted JPEG file can cause the JPEG parser of grub2 to incorrectly check the bounds of its internal buffers, resulting in an out-of-bounds write. The possibility of overwriting sensitive information to bypass secure boot protections is not discarded.

Packages affected:

sle-module-basesystem-release == 15.5 (version in image is 15.5-150500.43.2).
grub2 > 0-0 (version in image is 2.06-150500.29.59.1).

CVE-2024-45781 Severity: Moderate CVSS3 score: 6.7

Description: A flaw was found in grub2. When reading a symbolic link's name from a UFS filesystem, grub2 fails to validate the string length taken as an input. The lack of validation may lead to a heap out-of-bounds write, causing data integrity issues and eventually allowing an attacker to circumvent secure boot protections.

Packages affected:

sle-module-basesystem-release == 15.5 (version in image is 15.5-150500.43.2).
grub2 > 0-0 (version in image is 2.06-150500.29.59.1).

CVE-2024-45782 Severity: Moderate CVSS3 score: 6.7

Description: A flaw was found in the HFS filesystem. When reading an HFS volume's name at grub_fs_mount(), the HFS filesystem driver performs a strcpy() using the user-provided volume name as input without properly validating the volume name's length. This issue may read to a heap-based out-of-bounds writer, impacting grub's sensitive data integrity and eventually leading to a secure boot protection bypass.

Packages affected:

sle-module-basesystem-release == 15.5 (version in image is 15.5-150500.43.2).
grub2 > 0-0 (version in image is 2.06-150500.29.59.1).

CVE-2025-15366 Severity: Moderate CVSS3 score: 6.7

Description: The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libpython3_11-1_0 < 3.11.14-150400.9.75.1 (version in image is 3.11.14-150400.9.69.1).

CVE-2025-15367 Severity: Moderate CVSS3 score: 6.7

Description: The poplib module, when passed a user-controlled command, can haveadditional commands injected using newlines. Mitigation rejects commandscontaining control characters.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libpython3_11-1_0 < 3.11.14-150400.9.75.1 (version in image is 3.11.14-150400.9.69.1).

CVE-2025-13151 Severity: Moderate CVSS3 score: 6.6

Description: Stack-based buffer overflow in libtasn1 version: v4.20.0. The function fails to validate the size of input data resulting in a buffer overflow in asn1_expend_octet_string.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libtasn1 > 0-0 (version in image is 4.13-150000.4.14.1).

CVE-2025-46836 Severity: Moderate CVSS3 score: 6.6

Description: net-tools is a collection of programs that form the base set of the NET-3 networking distribution for the Linux operating system. Inn versions up to and including 2.10, the Linux network utilities (like ifconfig) from the net-tools package do not properly validate the structure of /proc files when showing interfaces. `get_name()` in `interface.c` copies interface labels from `/proc/net/dev` into a fixed 16-byte stack buffer without bounds checking, leading to possible arbitrary code execution or crash. The known attack path does not require privilege but also does not provide privilege escalation in this scenario. A patch is available and expected to be part of version 2.20.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
net-tools > 0-0 (version in image is 2.0+git20170221.479bb4a-150000.5.13.1).

CVE-2025-8058 Severity: Moderate CVSS3 score: 6.6

Description: The regcomp function in the GNU C library version from 2.4 to 2.41 is subject to a double free if some previous allocation fails. It can be accomplished either by a malloc failure or by using an interposed malloc that injects random malloc failures. The double free can allow buffer manipulation depending of how the regex is constructed. This issue affects all architectures and ABIs supported by the GNU C library.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
glibc < 2.31-150300.98.1 (version in image is 2.31-150300.95.1).

CVE-2024-12086 Severity: Moderate CVSS3 score: 6.5

Description: A flaw was found in rsync. It could allow a server to enumerate the contents of an arbitrary file from the client's machine. This issue occurs when files are being copied from a client to a server. During this process, the rsync server will send checksums of local data to the client to compare with in order to determine what data needs to be sent to the server. By sending specially constructed checksum values for arbitrary files, an attacker may be able to reconstruct the data of those files byte-by-byte based on the responses from the client.

Packages affected:

sle-module-basesystem-release == 15.5 (version in image is 15.5-150500.43.2).
rsync > 0-0 (version in image is 3.2.3-150400.3.26.1).

CVE-2024-12088 Severity: Moderate CVSS3 score: 6.5

Description: A flaw was found in rsync. When using the `--safe-links` option, the rsync client fails to properly verify if a symbolic link destination sent from the server contains another symbolic link within it. This results in a path traversal vulnerability, which may lead to arbitrary file write outside the desired directory.

Packages affected:

sle-module-basesystem-release == 15.5 (version in image is 15.5-150500.43.2).
rsync > 0-0 (version in image is 3.2.3-150400.3.26.1).

CVE-2025-11563 Severity: Moderate CVSS3 score: 6.5

Description: URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl intosaving the output file outside of the current directory without the userexplicitly asking for it.This flaw only affects the wcurl command line tool.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
curl > 0-0 (version in image is 8.14.1-150400.5.72.1).

CVE-2025-12801 Severity: Moderate CVSS3 score: 6.5

Description: A vulnerability was recently discovered in the rpc.mountd daemon in the nfs-utils package for Linux, that allows a NFSv3 client to escalate theprivileges assigned to it in the /etc/exports file at mount time. In particular, it allows the client to access any subdirectory or subtree of an exported directory, regardless of the set file permissions, and regardless of any 'root_squash' or 'all_squash' attributes that would normally be expected to apply to that client.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
nfs-client > 0-0 (version in image is 2.1.1-150500.22.3.1).

CVE-2025-13836 Severity: Moderate CVSS3 score: 6.5

Description: When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libpython3_11-1_0 < 3.11.15-150400.9.80.1 (version in image is 3.11.14-150400.9.69.1).

CVE-2025-15282 Severity: Moderate CVSS3 score: 6.5

Description: User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libpython3_11-1_0 < 3.11.15-150400.9.80.1 (version in image is 3.11.14-150400.9.69.1).

CVE-2025-24528 Severity: Moderate CVSS3 score: 6.5

Description: In MIT Kerberos 5 (aka krb5) before 1.22 (with incremental propagation), there is an integer overflow for a large update size to resize() in kdb_log.c. An authenticated attacker can cause an out-of-bounds write and kadmind daemon crash.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
krb5 > 0-0 (version in image is 1.20.1-150500.3.17.1).

CVE-2025-47268 Severity: Moderate CVSS3 score: 6.5

Description: ping in iputils before 20250602 allows a denial of service (application error or incorrect data collection) via a crafted ICMP Echo Reply packet, because of a signed 64-bit integer overflow in timestamp multiplication.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
iputils > 0-0 (version in image is 20221126-150500.3.14.1).

CVE-2025-58149 Severity: Moderate CVSS3 score: 6.5

Description: When passing through PCI devices, the detach logic in libxl won't removeaccess permissions to any 64bit memory BARs the device might have. As aresult a domain can still have access any 64bit memory BAR when suchdevice is no longer assigned to the domain.For PV domains the permission leak allows the domain itself to map the memoryin the page-tables. For HVM it would require a compromised device model orstubdomain to map the leaked memory into the HVM domain p2m.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
xen-libs > 0-0 (version in image is 4.17.6_02-150500.3.56.1).

CVE-2025-68468 Severity: Moderate CVSS3 score: 6.5

Description: Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending unsolicited announcements containing CNAME resource records pointing it to resource records with short TTLs. As soon as they expire avahi-daemon crashes.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libavahi-client3 > 0-0 (version in image is 0.8-150400.7.23.1).

CVE-2025-68471 Severity: Moderate CVSS3 score: 6.5

Description: Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending 2 unsolicited announcements with CNAME resource records 2 seconds apart.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libavahi-client3 > 0-0 (version in image is 0.8-150400.7.23.1).

CVE-2025-69224 Severity: Moderate CVSS3 score: 6.5

Description: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. If a pure Python version of AIOHTTP is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. This issue is fixed in version 3.13.3.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python311-aiohttp < 3.9.3-150400.10.36.1 (version in image is 3.9.3-150400.10.33.1).

CVE-2025-8194 Severity: Moderate CVSS3 score: 6.5

Description: There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module: https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python311 > 0-0 (version in image is 3.11.14-150400.9.69.1).

CVE-2026-0865 Severity: Moderate CVSS3 score: 6.5

Description: User-controlled header names and values containing newlines can allow injecting HTTP headers.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libpython3_11-1_0 < 3.11.15-150400.9.80.1 (version in image is 3.11.14-150400.9.69.1).

CVE-2026-0966 Severity: Moderate CVSS3 score: 6.5

Description: The API function `ssh_get_hexa()` is vulnerable, when 0-lenghtinput is provided to this function. This function is used internallyin `ssh_get_fingerprint_hash()` and `ssh_print_hexa()` (deprecated),which is vulnerable to the same input (length is provided by thecalling application).The function is also used internally in the gssapi code for loggingthe OIDs received by the server during GSSAPI authentication. Thiscould be triggered remotely, when the server allows GSSAPI authenticationand logging verbosity is set at least to SSH_LOG_PACKET (3). Thiscould cause self-DoS of the per-connection daemon process.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libssh-config > 0-0 (version in image is 0.9.8-150400.3.12.1).

CVE-2026-24401 Severity: Moderate CVSS3 score: 6.5

Description: Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record, where the alias and canonical name point to the same domain (e.g., "h.local" as a CNAME for "h.local"). This causes unbounded recursion in the lookup_handle_cname function, leading to stack exhaustion. The vulnerability affects record browsers where AVAHI_LOOKUP_USE_MULTICAST is set explicitly, which includes record browsers created by resolvers used by nss-mdns. This issue is patched in commit 78eab31128479f06e30beb8c1cbf99dd921e2524.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libavahi-client3 > 0-0 (version in image is 0.8-150400.7.23.1).

CVE-2026-25210 Severity: Moderate CVSS3 score: 6.5

Description: In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libexpat1 > 0-0 (version in image is 2.7.1-150400.3.31.1).

CVE-2026-28387 Severity: Moderate CVSS3 score: 6.5

Description: Issue summary: An uncommon configuration of clients performing DANE TLSA-basedserver authentication, when paired with uncommon server DANE TLSA records, mayresult in a use-after-free and/or double-free on the client side.Impact summary: A use after free can have a range of potential consequencessuch as the corruption of valid data, crashes or execution of arbitrary code.However, the issue only affects clients that make use of TLSA records with boththe PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificateusage.By far the most common deployment of DANE is in SMTP MTAs for which RFC7672recommends that clients treat as 'unusable' any TLSA records that have the PKIXcertificate usages. These SMTP (or other similar) clients are not vulnerableto this issue. Conversely, any clients that support only the PKIX usages, andignore the DANE-TA(2) usage are also not vulnerable.The client would also need to be communicating with a server that publishes aTLSA RRset with both types of TLSA records.No FIPS modules are affected by this issue, the problem code is outside theFIPS module boundary.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libopenssl1_1 < 1.1.1l-150500.17.51.1 (version in image is 1.1.1l-150500.17.43.1).

CVE-2026-3497 Severity: Moderate CVSS3 score: 6.5

Description: Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
openssh > 0-0 (version in image is 8.4p1-150300.3.57.1).

CVE-2026-35469 Severity: Moderate CVSS3 score: 6.5

Description: spdystream is a Go library for multiplexing streams over SPDY connections. In versions 0.5.0 and below, the SPDY/3 frame parser does not validate attacker-controlled counts and lengths before allocating memory. Three allocation paths are affected: the SETTINGS frame entry count, the header count in parseHeaderValueBlock, and individual header field sizes - all read as 32-bit integers and used directly as allocation sizes with no bounds checking. Because SPDY header blocks are zlib-compressed, a small on-the-wire payload can decompress into large attacker-controlled values. A remote peer that can send SPDY frames to a service using spdystream can exhaust process memory and cause an out-of-memory crash with a single crafted control frame. This issue has been fixed in version 0.5.1.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
containerd > 0-0 (version in image is 1.7.29-150000.128.1).

CVE-2026-3644 Severity: Moderate CVSS3 score: 6.5

Description: The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libpython3_11-1_0 < 3.11.15-150400.9.85.1 (version in image is 3.11.14-150400.9.69.1).

CVE-2024-45775 Severity: Moderate CVSS3 score: 6.4

Description: A flaw was found in grub2 where the grub_extcmd_dispatcher() function calls grub_arg_list_alloc() to allocate memory for the grub's argument list. However, it fails to check in case the memory allocation fails. Once the allocation fails, a NULL point will be processed by the parse_option() function, leading grub to crash or, in some rare scenarios, corrupt the IVT data.

Packages affected:

sle-module-basesystem-release == 15.5 (version in image is 15.5-150500.43.2).
grub2 > 0-0 (version in image is 2.06-150500.29.59.1).

CVE-2024-45776 Severity: Moderate CVSS3 score: 6.4

Description: When reading the language .mo file in grub_mofile_open(), grub2 fails to verify an integer overflow when allocating its internal buffer. A crafted .mo file may lead the buffer size calculation to overflow, leading to out-of-bound reads and writes. This flaw allows an attacker to leak sensitive data or overwrite critical data, possibly circumventing secure boot protections.

Packages affected:

sle-module-basesystem-release == 15.5 (version in image is 15.5-150500.43.2).
grub2 > 0-0 (version in image is 2.06-150500.29.59.1).

CVE-2024-45777 Severity: Moderate CVSS3 score: 6.4

Description: A flaw was found in grub2. The calculation of the translation buffer when reading a language .mo file in grub_gettext_getstr_from_position() may overflow, leading to a Out-of-bound write. This issue can be leveraged by an attacker to overwrite grub2's sensitive heap data, eventually leading to the circumvention of secure boot protections.

Packages affected:

sle-module-basesystem-release == 15.5 (version in image is 15.5-150500.43.2).
grub2 > 0-0 (version in image is 2.06-150500.29.59.1).

CVE-2024-45779 Severity: Moderate CVSS3 score: 6.4

Description: An integer overflow flaw was found in the BFS file system driver in grub2. When reading a file with an indirect extent map, grub2 fails to validate the number of extent entries to be read. A crafted or corrupted BFS filesystem may cause an integer overflow during the file reading, leading to a heap of bounds read. As a consequence, sensitive data may be leaked, or grub2 will crash.

Packages affected:

sle-module-basesystem-release == 15.5 (version in image is 15.5-150500.43.2).
grub2 > 0-0 (version in image is 2.06-150500.29.59.1).

CVE-2024-45780 Severity: Moderate CVSS3 score: 6.4

Description: A flaw was found in grub2. When reading tar files, grub2 allocates an internal buffer for the file name. However, it fails to properly verify the allocation against possible integer overflows. It's possible to cause the allocation length to overflow with a crafted tar file, leading to a heap out-of-bounds write. This flaw eventually allows an attacker to circumvent secure boot protections.

Packages affected:

sle-module-basesystem-release == 15.5 (version in image is 15.5-150500.43.2).
grub2 > 0-0 (version in image is 2.06-150500.29.59.1).

CVE-2024-45783 Severity: Moderate CVSS3 score: 6.4

Description: A flaw was found in grub2. When failing to mount an HFS+ grub, the hfsplus filesystem driver doesn't properly set an ERRNO value. This issue may lead to a NULL pointer access.

Packages affected:

sle-module-basesystem-release == 15.5 (version in image is 15.5-150500.43.2).
grub2 > 0-0 (version in image is 2.06-150500.29.59.1).

CVE-2026-40226 Severity: Moderate CVSS3 score: 6.4

Description: In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libsystemd0 > 0-0 (version in image is 249.17-150400.8.49.2).

CVE-2026-2781 Severity: Important CVSS3 score: 6.3

Description: Integer overflow in the Libraries component in NSS. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, Thunderbird 140.8, and Firefox ESR 115.35.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
mozilla-nss-certs < 3.112.3-150400.3.63.1 (version in image is 3.112.2-150400.3.60.1).

CVE-2024-12747 Severity: Moderate CVSS3 score: 6.3

Description: A flaw was found in rsync. This vulnerability arises from a race condition during rsync's handling of symbolic links. Rsync's default behavior when encountering symbolic links is to skip them. If an attacker replaced a regular file with a symbolic link at the right time, it was possible to bypass the default behavior and traverse symbolic links. Depending on the privileges of the rsync process, an attacker could leak sensitive information, potentially leading to privilege escalation.

Packages affected:

sle-module-basesystem-release == 15.5 (version in image is 15.5-150500.43.2).
rsync > 0-0 (version in image is 3.2.3-150400.3.26.1).

CVE-2025-14017 Severity: Moderate CVSS3 score: 6.3

Description: When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl,changing TLS options in one thread would inadvertently change them globallyand therefore possibly also affect other concurrently setup transfers.Disabling certificate verification for a specific transfer couldunintentionally disable the feature for other threads as well.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
curl > 0-0 (version in image is 8.14.1-150400.5.72.1).

CVE-2026-41989 Severity: Moderate CVSS3 score: 6.3

Description: Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
grub2 > 0-0 (version in image is 2.06-150500.29.59.1).

CVE-2025-40909 Severity: Moderate CVSS3 score: 6.2

Description: Perl threads have a working directory race condition where file operations may target unintended paths.If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit.The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
perl > 0-0 (version in image is 5.26.1-150300.17.20.1).

CVE-2025-68160 Severity: Moderate CVSS3 score: 6.2

Description: Issue summary: Writing large, newline-free data into a BIO chain using theline-buffering filter where the next BIO performs short writes can triggera heap-based out-of-bounds write.Impact summary: This out-of-bounds write can cause memory corruption whichtypically results in a crash, leading to Denial of Service for an application.The line-buffering BIO filter (BIO_f_linebuffer) is not used by default inTLS/SSL data paths. In OpenSSL command-line applications, it is typicallyonly pushed onto stdout/stderr on VMS systems. Third-party applications thatexplicitly use this filter with a BIO chain that can short-write and thatwrite large, newline-free data influenced by an attacker would be affected.However, the circumstances where this could happen are unlikely to be underattacker control, and BIO_f_linebuffer is unlikely to be handling non-curateddata controlled by an attacker. For that reason the issue was assessed asLow severity.The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,as the BIO implementation is outside the OpenSSL FIPS module boundary.OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libopenssl1_1 < 1.1.1l-150500.17.46.1 (version in image is 1.1.1l-150500.17.43.1).

CVE-2025-69419 Severity: Moderate CVSS3 score: 6.2

Description: Issue summary: Calling PKCS12_get_friendlyname() function on a maliciouslycrafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containingnon-ASCII BMP code point can trigger a one byte write before the allocatedbuffer.Impact summary: The out-of-bounds write can cause a memory corruptionwhich can have various consequences including a Denial of Service.The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes,the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16source byte count as the destination buffer capacity to UTF8_putc(). For BMPcode points above U+07FF, UTF-8 requires three bytes, but the forwardedcapacity can be just two bytes. UTF8_putc() then returns -1, and this negativevalue is added to the output length without validation, causing thelength to become negative. The subsequent trailing NUL byte is then writtenat a negative offset, causing write outside of heap allocated buffer.The vulnerability is reachable via the public PKCS12_get_friendlyname() APIwhen parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses adifferent code path that avoids this issue, PKCS12_get_friendlyname() directlyinvokes the vulnerable function. Exploitation requires an attacker to providea malicious PKCS#12 file to be parsed by the application and the attackercan just trigger a one zero byte write before the allocated buffer.For that reason the issue was assessed as Low severity according to ourSecurity Policy.The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.OpenSSL 1.0.2 is not affected by this issue.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libopenssl1_1 < 1.1.1l-150500.17.46.1 (version in image is 1.1.1l-150500.17.43.1).

CVE-2025-69421 Severity: Moderate CVSS3 score: 6.2

Description: Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointerdereference in the PKCS12_item_decrypt_d2i_ex() function.Impact summary: A NULL pointer dereference can trigger a crash which leads toDenial of Service for an application processing PKCS#12 files.The PKCS12_item_decrypt_d2i_ex() function does not check whether the octparameter is NULL before dereferencing it. When called fromPKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter canbe NULL, causing a crash. The vulnerability is limited to Denial of Serviceand cannot be escalated to achieve code execution or memory disclosure.Exploiting this issue requires an attacker to provide a malformed PKCS#12 fileto an application that processes it. For that reason the issue was assessed asLow severity according to our Security Policy.The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libopenssl1_1 < 1.1.1l-150500.17.46.1 (version in image is 1.1.1l-150500.17.43.1).

CVE-2026-22795 Severity: Moderate CVSS3 score: 6.2

Description: Issue summary: An invalid or NULL pointer dereference can happen inan application processing a malformed PKCS#12 file.Impact summary: An application processing a malformed PKCS#12 file can becaused to dereference an invalid or NULL pointer on memory read, resultingin a Denial of Service.A type confusion vulnerability exists in PKCS#12 parsing code wherean ASN1_TYPE union member is accessed without first validating the type,causing an invalid pointer read.The location is constrained to a 1-byte address space, meaning anyattempted pointer manipulation can only target addresses between 0x00 and 0xFF.This range corresponds to the zero page, which is unmapped on most modernoperating systems and will reliably result in a crash, leading only to aDenial of Service. Exploiting this issue also requires a user or applicationto process a maliciously crafted PKCS#12 file. It is uncommon to acceptuntrusted PKCS#12 files in applications as they are usually used to storeprivate keys which are trusted by definition. For these reasons, the issuewas assessed as Low severity.The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,as the PKCS12 implementation is outside the OpenSSL FIPS module boundary.OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.OpenSSL 1.0.2 is not affected by this issue.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libopenssl1_1 < 1.1.1l-150500.17.46.1 (version in image is 1.1.1l-150500.17.43.1).

CVE-2025-14104 Severity: Moderate CVSS3 score: 6.1

Description: A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libblkid1 > 0-0 (version in image is 2.37.4-150500.9.20.1).

CVE-2026-22695 Severity: Moderate CVSS3 score: 6.1

Description: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libpng16-16 < 1.6.34-150000.3.19.1 (version in image is 1.6.34-150000.3.12.1).

CVE-2026-3441 Severity: Moderate CVSS3 score: 6.1

Description: A flaw was found in GNU Binutils. This heap-based buffer overflow vulnerability, specifically an out-of-bounds read in the bfd linker, allows an attacker to gain access to sensitive information. By convincing a user to process a specially crafted XCOFF object file, an attacker can trigger this flaw, potentially leading to information disclosure or an application level denial of service.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2026-3442 Severity: Moderate CVSS3 score: 6.1

Description: A flaw was found in GNU Binutils. This vulnerability, a heap-based buffer overflow, specifically an out-of-bounds read, exists in the bfd linker component. An attacker could exploit this by convincing a user to process a specially crafted malicious XCOFF object file. Successful exploitation may lead to the disclosure of sensitive information or cause the application to crash, resulting in an application level denial of service.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2026-4647 Severity: Moderate CVSS3 score: 6.1

Description: A flaw was found in the GNU Binutils BFD library, a widely used component for handling binary files such as object files and executables. The issue occurs when processing specially crafted XCOFF object files, where a relocation type value is not properly validated before being used. This can cause the program to read memory outside of intended bounds. As a result, affected tools may crash or expose unintended memory contents, leading to denial-of-service or limited information disclosure risks.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2025-46802 Severity: Moderate CVSS3 score: 6.0

Description: For a short time they PTY is set to mode 666, allowing any user on the system to connect to the screen session.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
screen > 0-0 (version in image is 4.6.2-150000.5.8.1).

CVE-2026-39881 Severity: Moderate CVSS3 score: 6.0

Description: Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
vim > 0-0 (version in image is 9.1.1629-150500.20.38.1).

CVE-2024-11584 Severity: Moderate CVSS3 score: 5.9

Description: cloud-init through 25.1.2 includes the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grants 0666 permissions, making it world-writable. This is used for the "/run/cloud-init/hook-hotplug-cmd" FIFO. An unprivileged user could trigger hotplug-hook commands.

Packages affected:

sle-module-public-cloud-release == 15.5 (version in image is 15.5-150500.43.2).
cloud-init > 0-0 (version in image is 23.3-150100.8.85.4).

CVE-2024-47081 Severity: Moderate CVSS3 score: 5.9

Description: Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc file can be disabled with `trust_env=False` on one's Requests Session.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python3-requests > 0-0 (version in image is 2.25.1-150300.3.18.1).

CVE-2024-49761 Severity: Moderate CVSS3 score: 5.9

Description: REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the vulnerability.

Packages affected:

sle-module-basesystem-release == 15.5 (version in image is 15.5-150500.43.2).
libruby2_5-2_5 > 0-0 (version in image is 2.5.9-150000.4.54.1).

CVE-2025-3360 Severity: Moderate CVSS3 score: 5.9

Description: A flaw was found in GLib. An integer overflow and buffer under-read occur when parsing a long invalid ISO 8601 timestamp with the g_date_time_new_from_iso8601() function.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
glib2-tools > 0-0 (version in image is 2.70.5-150400.3.29.1).

CVE-2025-3576 Severity: Moderate CVSS3 score: 5.9

Description: A vulnerability in the MIT Kerberos implementation allows GSSAPI-protected messages using RC4-HMAC-MD5 to be spoofed due to weaknesses in the MD5 checksum design. If RC4 is preferred over stronger encryption types, an attacker could exploit MD5 collisions to forge message integrity codes. This may lead to unauthorized message tampering.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
krb5 > 0-0 (version in image is 1.20.1-150500.3.17.1).

CVE-2025-4565 Severity: Moderate CVSS3 score: 5.9

Description: Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit. This can result in a Denial of service by crashing the application with a RecursionError. We recommend upgrading to version =>6.31.1 or beyond commit 17838beda2943d08b8a9d4df5b68f5f04f26d901

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python311-protobuf > 0-0 (version in image is 4.25.1-150500.12.11.1).

CVE-2025-68972 Severity: Moderate CVSS3 score: 5.9

Description: In GnuPG through 2.4.8, if a signed message has \f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an "invalid armor" message is printed during verification). This is related to use of \f as a marker to denote truncation of a long plaintext line.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
gpg2 > 0-0 (version in image is 2.2.27-150300.3.16.1).

CVE-2026-0990 Severity: Moderate CVSS3 score: 5.9

Description: A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libxml2-2 > 0-0 (version in image is 2.10.3-150500.5.32.1).

CVE-2026-0994 Severity: Moderate CVSS3 score: 5.9

Description: A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages.Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python's recursion stack and causing a RecursionError.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python311-protobuf > 0-0 (version in image is 4.25.1-150500.12.11.1).

CVE-2026-28390 Severity: Moderate CVSS3 score: 5.9

Description: Issue summary: During processing of a crafted CMS EnvelopedData messagewith KeyTransportRecipientInfo a NULL pointer dereference can happen.Impact summary: Applications that process attacker-controlled CMS data maycrash before authentication or cryptographic operations occur resulting inDenial of Service.When a CMS EnvelopedData message that uses KeyTransportRecipientInfo withRSA-OAEP encryption is processed, the optional parameters field ofRSA-OAEP SourceFunc algorithm identifier is examined without checkingfor its presence. This results in a NULL pointer dereference if the fieldis missing.Applications and services that call CMS_decrypt() on untrusted input(e.g., S/MIME processing or CMS-based protocols) are vulnerable.The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by thisissue, as the affected code is outside the OpenSSL FIPS module boundary.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libopenssl1_1 < 1.1.1l-150500.17.54.1 (version in image is 1.1.1l-150500.17.43.1).

CVE-2026-32778 Severity: Moderate CVSS3 score: 5.9

Description: libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory condition.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libexpat1 < 2.7.1-150400.3.37.1 (version in image is 2.7.1-150400.3.31.1).

CVE-2026-5450 Severity: Moderate CVSS3 score: 5.9

Description: Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
glibc > 0-0 (version in image is 2.31-150300.95.1).

CVE-2023-34324 Severity: Moderate CVSS3 score: 5.7

Description: Closing of an event channel in the Linux kernel can result in a deadlock.This happens when the close is being performed in parallel to an unrelatedXen console action and the handling of a Xen console interrupt in anunprivileged guest.The closing of an event channel is e.g. triggered by removal of aparavirtual device on the other side. As this action will cause consolemessages to be issued on the other side quite often, the chance oftriggering the deadlock is not neglectable.Note that 32-bit Arm-guests are not affected, as the 32-bit Linux kernelon Arm doesn't use queued-RW-locks, which are required to trigger theissue (on Arm32 a waiting writer doesn't block further readers to getthe lock).

Packages affected:

sle-module-basesystem-release == 15.5 (version in image is 15.5-150500.43.2).
xen-libs > 0-0 (version in image is 4.17.6_02-150500.3.56.1).

CVE-2025-0838 Severity: Moderate CVSS3 score: 5.6

Description: There exists a heap buffer overflow vulnerable in Abseil-cpp. The sized constructors, reserve(), and rehash() methods of absl::{flat,node}hash{set,map} did not impose an upper bound on their size argument. As a result, it was possible for a caller to pass a very large size that would cause an integer overflow when computing the size of the container's backing store, and a subsequent out-of-bounds memory write. Subsequent accesses to the container might also access out-of-bounds memory. We recommend upgrading past commit 5a0e2cb5e3958dd90bb8569a2766622cb74d90c1

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libabsl2401_0_0 > 0-0 (version in image is 20240116.1-150500.13.7.8).

CVE-2025-32414 Severity: Moderate CVSS3 score: 5.6

Description: In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libxml2-2 > 0-0 (version in image is 2.10.3-150500.5.32.1).

CVE-2025-55158 Severity: Moderate CVSS3 score: 5.6

Description: Vim is an open source, command line text editor. In versions from 9.1.1231 to before 9.1.1406, when processing nested tuples during Vim9 script import operations, an error during evaluation can trigger a double-free in Vim's internal typed value (typval_T) management. Specifically, the clear_tv() function may attempt to free memory that has already been deallocated, due to improper lifetime handling in the handle_import / ex_import code paths. The vulnerability can only be triggered if a user explicitly opens and executes a specially crafted Vim script. This issue has been patched in version 9.1.1406.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
vim > 0-0 (version in image is 9.1.1629-150500.20.38.1).

CVE-2026-3184 Severity: Moderate CVSS3 score: 5.6

Description: A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libblkid1 > 0-0 (version in image is 2.37.4-150500.9.20.1).

CVE-2025-15281 Severity: Moderate CVSS3 score: 5.5

Description: Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
glibc < 2.31-150300.98.1 (version in image is 2.31-150300.95.1).

CVE-2025-68276 Severity: Moderate CVSS3 score: 5.5

Description: Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, an unprivileged local users can crash avahi-daemon (with wide-area disabled) by creating record browsers with the AVAHI_LOOKUP_USE_WIDE_AREA flag set via D-Bus. This can be done by either callingthe RecordBrowserNew method directly or creating hostname/address/service resolvers/browsers that create those browsers internally themselves.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libavahi-client3 > 0-0 (version in image is 0.8-150400.7.23.1).

CVE-2025-69644 Severity: Moderate CVSS3 score: 5.5

Description: An issue was discovered in Binutils before 2.46. The objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed debug information. A logic flaw in the handling of DWARF location list headers can cause objdump to enter an unbounded loop and produce endless output until manually interrupted. This issue affects versions prior to the upstream fix and allows a local attacker to cause excessive resource consumption by supplying a malicious input file.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2025-69646 Severity: Moderate CVSS3 score: 5.5

Description: Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug_rnglists data. A logic error in the handling of the debug_rnglists header can cause objdump to repeatedly print the same warning message and fail to terminate, resulting in an unbounded logging loop until the process is interrupted. The issue was observed in binutils 2.44. A local attacker can exploit this vulnerability by supplying a malicious input file, leading to excessive CPU and I/O usage and preventing completion of the objdump analysis.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2025-69647 Severity: Moderate CVSS3 score: 5.5

Description: GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF loclists data. A logic flaw in the DWARF parsing code can cause readelf to repeatedly print the same table output without making forward progress, resulting in an unbounded output loop that never terminates unless externally interrupted. A local attacker can trigger this behavior by supplying a malicious input file, causing excessive CPU and I/O usage and preventing readelf from completing its analysis.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2025-69648 Severity: Moderate CVSS3 score: 5.5

Description: GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF .debug_rnglists data. A logic flaw in the DWARF parsing path causes readelf to repeatedly print the same warning message without making forward progress, resulting in a non-terminating output loop that requires manual interruption. No evidence of memory corruption or code execution was observed.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2026-2297 Severity: Moderate CVSS3 score: 5.5

Description: The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libpython3_11-1_0 < 3.11.15-150400.9.80.1 (version in image is 3.11.14-150400.9.69.1).

CVE-2026-23553 Severity: Moderate CVSS3 score: 5.5

Description: In the context switch logic Xen attempts to skip an IBPB in the case ofa vCPU returning to a CPU on which it was the previous vCPU to run.While safe for Xen's isolation between vCPUs, this prevents the guestkernel correctly isolating between tasks. Consider: 1) vCPU runs on CPU A, running task 1. 2) vCPU moves to CPU B, idle gets scheduled on A. Xen skips IBPB. 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB. 4) vCPU moves back to CPU A. Xen skips IBPB again.Now, task 2 is running on CPU A with task 1's training still in the BTB.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
xen-libs > 0-0 (version in image is 4.17.6_02-150500.3.56.1).

CVE-2026-24515 Severity: Moderate CVSS3 score: 5.5

Description: In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libexpat1 > 0-0 (version in image is 2.7.1-150400.3.31.1).

CVE-2026-25645 Severity: Moderate CVSS3 score: 5.5

Description: Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call `extract_zipped_paths()` directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python3-requests > 0-0 (version in image is 2.25.1-150300.3.18.1).

CVE-2026-29111 Severity: Moderate CVSS3 score: 5.5

Description: systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libsystemd0 < 249.17-150400.8.55.1 (version in image is 249.17-150400.8.49.2).

CVE-2026-34933 Severity: Moderate CVSS3 score: 5.5

Description: Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. Prior to version 0.9-rc4, any unprivileged local user can crash avahi-daemon by sending a single D-Bus method call with conflicting publish flags. This issue has been patched in version 0.9-rc4.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libavahi-client3 > 0-0 (version in image is 0.8-150400.7.23.1).

CVE-2026-4897 Severity: Moderate CVSS3 score: 5.5

Description: A flaw was found in polkit. A local user can exploit this by providing a specially crafted, excessively long input to the `polkit-agent-helper-1` setuid binary via standard input (stdin). This unbounded input can lead to an out-of-memory (OOM) condition, resulting in a Denial of Service (DoS) for the system.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libpolkit-agent-1-0 > 0-0 (version in image is 121-150500.3.6.1).

CVE-2026-5704 Severity: Moderate CVSS3 score: 5.5

Description: A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction inspection mechanisms, potentially allowing an attacker to introduce malicious files onto a system without detection.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
tar > 0-0 (version in image is 1.34-150000.3.34.1).

CVE-2026-6862 Severity: Moderate CVSS3 score: 5.5

Description: A flaw was found in libefiboot, a component of efivar. The device path node parser in libefiboot fails to validate that each node's Length field is at least 4 bytes, which is the minimum size for an EFI (Extensible Firmware Interface) device path node header. A local user could exploit this vulnerability by providing a specially crafted device path node. This can lead to infinite recursion, causing stack exhaustion and a process crash, resulting in a denial of service (DoS).

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libefivar1 > 0-0 (version in image is 37-6.12.1).

CVE-2025-48964 Severity: Moderate CVSS3 score: 5.4

Description: ping in iputils before 20250602 allows a denial of service (application error in adaptive ping mode or incorrect data collection) via a crafted ICMP Echo Reply packet, because a zero timestamp can lead to large intermediate values that have an integer overflow when squared during statistics calculations. NOTE: this issue exists because of an incomplete fix for CVE-2025-47268 (that fix was only about timestamp calculations, and it did not account for a specific scenario where the original timestamp in the ICMP payload is zero).

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
iputils > 0-0 (version in image is 20221126-150500.3.14.1).

CVE-2025-7709 Severity: Moderate CVSS3 score: 5.4

Description: An integer overflow exists in the FTS5 https://sqlite.org/fts5.html extension. It occurs when the size of an array of tombstone pointers is calculated and truncated into a 32-bit integer. A pointer to partially controlled data can then be written out of bounds.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libsqlite3-0 > 0-0 (version in image is 3.50.2-150000.3.33.1).

CVE-2026-26269 Severity: Moderate CVSS3 score: 5.4

Description: Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
vim < 9.2.0110-150500.20.43.1 (version in image is 9.1.1629-150500.20.38.1).

CVE-2026-34525 Severity: Moderate CVSS3 score: 5.4

Description: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, multiple Host headers were allowed in aiohttp. This issue has been patched in version 3.13.4.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python311-aiohttp > 0-0 (version in image is 3.9.3-150400.10.33.1).

CVE-2024-12085 Severity: Moderate CVSS3 score: 5.3

Description: A flaw was found in rsync which could be triggered when rsync compares file checksums. This flaw allows an attacker to manipulate the checksum length (s2length) to cause a comparison between a checksum and uninitialized memory and leak one byte of uninitialized stack data at a time.

Packages affected:

sle-module-basesystem-release == 15.5 (version in image is 15.5-150500.43.2).
rsync > 0-0 (version in image is 3.2.3-150400.3.26.1).

CVE-2024-12243 Severity: Moderate CVSS3 score: 5.3

Description: A flaw was found in GnuTLS, which relies on libtasn1 for ASN.1 data processing. Due to an inefficient algorithm in libtasn1, decoding certain DER-encoded certificate data can take excessive time, leading to increased resource consumption. This flaw allows a remote attacker to send a specially crafted certificate, causing GnuTLS to become unresponsive or slow, resulting in a denial-of-service condition.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libgnutls30 > 0-0 (version in image is 3.7.3-150400.4.53.1).

CVE-2024-52615 Severity: Moderate CVSS3 score: 5.3

Description: A flaw was found in Avahi-daemon, which relies on fixed source ports for wide-area DNS queries. This issue simplifies attacks where malicious DNS responses are injected.

Packages affected:

sle-module-basesystem-release == 15.5 (version in image is 15.5-150500.43.2).
libavahi-client3 > 0-0 (version in image is 0.8-150400.7.23.1).

CVE-2025-14524 Severity: Moderate CVSS3 score: 5.3

Description: When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transferperforms a cross-protocol redirect to a second URL that uses an IMAP, LDAP,POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the newtarget host.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
curl > 0-0 (version in image is 8.14.1-150400.5.72.1).

CVE-2025-14819 Severity: Moderate CVSS3 score: 5.3

Description: When doing TLS related transfers with reused easy or multi handles andaltering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentallyreuse a CA store cached in memory for which the partial chain option wasreversed. Contrary to the user's wishes and expectations. This could makelibcurl find and accept a trust chain that it otherwise would not.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
curl > 0-0 (version in image is 8.14.1-150400.5.72.1).

CVE-2025-14831 Severity: Moderate CVSS3 score: 5.3

Description: A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS) by excessive CPU (Central Processing Unit) and memory consumption via specially crafted malicious certificates containing a large number of name constraints and subject alternative names (SANs).

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libgnutls30 > 0-0 (version in image is 3.7.3-150400.4.53.1).

CVE-2025-15079 Severity: Moderate CVSS3 score: 5.3

Description: When doing SSH-based transfers using either SCP or SFTP, and setting theknown_hosts file, libcurl could still mistakenly accept connecting to hosts*not present* in the specified file if they were added as recognized in thelibssh *global* known_hosts file.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
curl > 0-0 (version in image is 8.14.1-150400.5.72.1).

CVE-2025-24294 Severity: Moderate CVSS3 score: 5.3

Description: The attack vector is a potential Denial of Service (DoS). The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet.An attacker can craft a malicious DNS packet containing a highly compressed domain name. When the resolv library parses such a packet, the name decompression process consumes a large amount of CPU resources, as the library does not limit the resulting length of the name.This resource consumption can cause the application thread to become unresponsive, resulting in a Denial of Service condition.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libruby2_5-2_5 > 0-0 (version in image is 2.5.9-150000.4.54.1).

CVE-2025-47911 Severity: Moderate CVSS3 score: 5.3

Description: The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
docker > 0-0 (version in image is 28.5.1_ce-150000.238.1).

CVE-2025-47914 Severity: Moderate CVSS3 score: 5.3

Description: SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
docker > 0-0 (version in image is 28.5.1_ce-150000.238.1).

CVE-2025-50181 Severity: Moderate CVSS3 score: 5.3

Description: urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable. This issue has been patched in version 2.5.0.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python3-urllib3 > 0-0 (version in image is 1.25.10-150300.4.18.1).

CVE-2025-58150 Severity: Moderate CVSS3 score: 5.3

Description: Shadow mode tracing code uses a set of per-CPU variables to avoidcumbersome parameter passing. Some of these variables are written towith guest controlled data, of guest controllable size. That size canbe larger than the variable, and bounding of the writes was missing.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
xen-libs > 0-0 (version in image is 4.17.6_02-150500.3.56.1).

CVE-2025-58181 Severity: Moderate CVSS3 score: 5.3

Description: SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
docker > 0-0 (version in image is 28.5.1_ce-150000.238.1).

CVE-2025-66418 Severity: Moderate CVSS3 score: 5.3

Description: urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python3-urllib3 > 0-0 (version in image is 1.25.10-150300.4.18.1).

CVE-2025-66471 Severity: Moderate CVSS3 score: 5.3

Description: urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python3-urllib3 > 0-0 (version in image is 1.25.10-150300.4.18.1).

CVE-2025-69225 Severity: Moderate CVSS3 score: 5.3

Description: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII decimals to be present in the Range header. There is no known impact, but there is the possibility that there's a method to exploit a request smuggling vulnerability. This issue is fixed in version 3.13.3.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python311-aiohttp < 3.9.3-150400.10.36.1 (version in image is 3.9.3-150400.10.33.1).

CVE-2025-69226 Severity: Moderate CVSS3 score: 5.3

Description: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an application uses web.static() (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components. This issue is fixed in version 3.13.3.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python311-aiohttp < 3.9.3-150400.10.36.1 (version in image is 3.9.3-150400.10.33.1).

CVE-2025-69418 Severity: Moderate CVSS3 score: 5.3

Description: Issue summary: When using the low-level OCB API directly with AES-NI or
other hardware-accelerated code paths, inputs whose length is not a multiple
of 16 bytes can leave the final partial block unencrypted and unauthenticated.

Impact summary: The trailing 1-15 bytes of a message may be exposed in
cleartext on encryption and are not covered by the authentication tag,
allowing an attacker to read or tamper with those bytes without detection.

The low-level OCB encrypt and decrypt routines in the hardware-accelerated
stream path process full 16-byte blocks but do not advance the input/output
pointers. The subsequent tail-handling code then operates on the original
base pointers, effectively reprocessing the beginning of the buffer while
leaving the actual trailing bytes unprocessed. The authentication checksum
also excludes the true tail bytes.

However, typical OpenSSL consumers using EVP are not affected because the
higher-level EVP and provider OCB implementations split inputs so that full
blocks and trailing partial blocks are processed in separate calls, avoiding
the problematic code path. Additionally, TLS does not use OCB ciphersuites.
The vulnerability only affects applications that call the low-level
CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with
non-block-aligned lengths in a single call on hardware-accelerated builds.
For these reasons the issue was assessed as Low severity.

The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected
by this issue, as OCB mode is not a FIPS-approved algorithm.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

OpenSSL 1.0.2 is not affected by this issue.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libopenssl1_1 < 1.1.1l-150500.17.46.1 (version in image is 1.1.1l-150500.17.43.1).

CVE-2025-69420 Severity: Moderate CVSS3 score: 5.3

Description: Issue summary: A type confusion vulnerability exists in the TimeStamp Responseverification code where an ASN1_TYPE union member is accessed without firstvalidating the type, causing an invalid or NULL pointer dereference whenprocessing a malformed TimeStamp Response file.Impact summary: An application calling TS_RESP_verify_response() with amalformed TimeStamp Response can be caused to dereference an invalid orNULL pointer when reading, resulting in a Denial of Service.The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2()access the signing cert attribute value without validating its type.When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memorythrough the ASN1_TYPE union, causing a crash.Exploiting this vulnerability requires an attacker to provide a malformedTimeStamp Response to an application that verifies timestamp responses. TheTimeStamp protocol (RFC 3161) is not widely used and the impact of theexploit is just a Denial of Service. For these reasons the issue wasassessed as Low severity.The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,as the TimeStamp Response implementation is outside the OpenSSL FIPS moduleboundary.OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.OpenSSL 1.0.2 is not affected by this issue.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libopenssl1_1 < 1.1.1l-150500.17.46.1 (version in image is 1.1.1l-150500.17.43.1).

CVE-2025-9390 Severity: Moderate CVSS3 score: 5.3

Description: A security flaw has been discovered in vim up to 9.1.1615. Affected by this vulnerability is the function main of the file src/xxd/xxd.c of the component xxd. The manipulation results in buffer overflow. The attack requires a local approach. The exploit has been released to the public and may be exploited. Upgrading to version 9.1.1616 addresses this issue. The patch is identified as eeef7c77436a78cd27047b0f5fa6925d56de3cb0. It is recommended to upgrade the affected component.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
vim > 0-0 (version in image is 9.1.1629-150500.20.38.1).

CVE-2026-0915 Severity: Moderate CVSS3 score: 5.3

Description: Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
glibc < 2.31-150300.98.1 (version in image is 2.31-150300.95.1).

CVE-2026-0992 Severity: Moderate CVSS3 score: 5.3

Description: A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libxml2-2 > 0-0 (version in image is 2.10.3-150500.5.32.1).

CVE-2026-22796 Severity: Moderate CVSS3 score: 5.3

Description: Issue summary: A type confusion vulnerability exists in the signatureverification of signed PKCS#7 data where an ASN1_TYPE union member isaccessed without first validating the type, causing an invalid or NULLpointer dereference when processing malformed PKCS#7 data.Impact summary: An application performing signature verification of PKCS#7data or calling directly the PKCS7_digest_from_attributes() function can becaused to dereference an invalid or NULL pointer when reading, resulting ina Denial of Service.The function PKCS7_digest_from_attributes() accesses the message digest attributevalue without validating its type. When the type is not V_ASN1_OCTET_STRING,this results in accessing invalid memory through the ASN1_TYPE union, causinga crash.Exploiting this vulnerability requires an attacker to provide a malformedsigned PKCS#7 to an application that verifies it. The impact of theexploit is just a Denial of Service, the PKCS7 API is legacy and applicationsshould be using the CMS API instead. For these reasons the issue wasassessed as Low severity.The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,as the PKCS#7 parsing implementation is outside the OpenSSL FIPS moduleboundary.OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libopenssl1_1 < 1.1.1l-150500.17.46.1 (version in image is 1.1.1l-150500.17.43.1).

CVE-2026-22815 Severity: Moderate CVSS3 score: 5.3

Description: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, insufficient restrictions in header/trailer handling could cause uncapped memory usage. This issue has been patched in version 3.13.4.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python311-aiohttp > 0-0 (version in image is 3.9.3-150400.10.33.1).

CVE-2026-27171 Severity: Moderate CVSS3 score: 5.3

Description: zlib before 1.3.2 allows CPU consumption via crc32_combine64 and crc32_combine_gen64 because x2nmodp can do right shifts within a loop that has no termination condition.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libz1 > 0-0 (version in image is 1.2.13-150500.4.3.1).

CVE-2026-28389 Severity: Moderate CVSS3 score: 5.3

Description: Issue summary: During processing of a crafted CMS EnvelopedData messagewith KeyAgreeRecipientInfo a NULL pointer dereference can happen.Impact summary: Applications that process attacker-controlled CMS data maycrash before authentication or cryptographic operations occur resulting inDenial of Service.When a CMS EnvelopedData message that uses KeyAgreeRecipientInfo isprocessed, the optional parameters field of KeyEncryptionAlgorithmIdentifieris examined without checking for its presence. This results in a NULLpointer dereference if the field is missing.Applications and services that call CMS_decrypt() on untrusted input(e.g., S/MIME processing or CMS-based protocols) are vulnerable.The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by thisissue, as the affected code is outside the OpenSSL FIPS module boundary.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libopenssl1_1 < 1.1.1l-150500.17.51.1 (version in image is 1.1.1l-150500.17.43.1).

CVE-2026-28417 Severity: Moderate CVSS3 score: 5.3

Description: Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
vim < 9.2.0110-150500.20.43.1 (version in image is 9.1.1629-150500.20.38.1).

CVE-2026-28418 Severity: Moderate CVSS3 score: 5.3

Description: Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
vim < 9.2.0110-150500.20.43.1 (version in image is 9.1.1629-150500.20.38.1).

CVE-2026-28419 Severity: Moderate CVSS3 score: 5.3

Description: Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
vim < 9.2.0110-150500.20.43.1 (version in image is 9.1.1629-150500.20.38.1).

CVE-2026-28421 Severity: Moderate CVSS3 score: 5.3

Description: Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
vim < 9.2.0110-150500.20.43.1 (version in image is 9.1.1629-150500.20.38.1).

CVE-2026-32249 Severity: Moderate CVSS3 score: 5.3

Description: Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
vim > 0-0 (version in image is 9.1.1629-150500.20.38.1).

CVE-2026-33412 Severity: Moderate CVSS3 score: 5.3

Description: Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
vim > 0-0 (version in image is 9.1.1629-150500.20.38.1).

CVE-2026-3446 Severity: Moderate CVSS3 score: 5.3

Description: When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other implementations. Use "validate=True" to enable stricter processing of base64 data.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python3 > 0-0 (version in image is 3.6.15-150300.10.103.1).

CVE-2026-34516 Severity: Moderate CVSS3 score: 5.3

Description: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, a response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability. This issue has been patched in version 3.13.4.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python311-aiohttp > 0-0 (version in image is 3.9.3-150400.10.33.1).

CVE-2026-34518 Severity: Moderate CVSS3 score: 5.3

Description: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, when following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers. This issue has been patched in version 3.13.4.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python311-aiohttp > 0-0 (version in image is 3.9.3-150400.10.33.1).

CVE-2026-34520 Severity: Moderate CVSS3 score: 5.3

Description: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser (the default for most installs) accepted null bytes and control characters in response headers. This issue has been patched in version 3.13.4.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python311-aiohttp > 0-0 (version in image is 3.9.3-150400.10.33.1).

CVE-2026-3731 Severity: Moderate CVSS3 score: 5.3

Description: A weakness has been identified in libssh up to 0.11.3. The impacted element is the function sftp_extensions_get_name/sftp_extensions_get_data of the file src/sftp.c of the component SFTP Extension Name Handler. Executing a manipulation of the argument idx can lead to out-of-bounds read. The attack may be performed from remote. Upgrading to version 0.11.4 and 0.12.0 is sufficient to resolve this issue. This patch is called 855a0853ad3abd4a6cd85ce06fce6d8d4c7a0b60. You should upgrade the affected component.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libssh-config > 0-0 (version in image is 0.9.8-150400.3.12.1).

CVE-2026-34757 Severity: Moderate CVSS3 score: 5.1

Description: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.0.9 to before 1.6.57, passing a pointer obtained from png_get_PLTE, png_get_tRNS, or png_get_hIST back into the corresponding setter on the same png_struct/png_info pair causes the setter to read from freed memory and copy its contents into the replacement buffer. The setter frees the internal buffer before copying from the caller-supplied pointer, which now dangles. The freed region may contain stale data (producing silently corrupted chunk metadata) or data from subsequent heap allocations (leaking unrelated heap contents into the chunk struct). This vulnerability is fixed in 1.6.57.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libpng16-16 > 0-0 (version in image is 1.6.34-150000.3.12.1).

CVE-2026-0964 Severity: Moderate CVSS3 score: 5.0

Description: A malicious SCP server can send unexpected paths that could make theclient application override local files outside of working directory.This could be misused to create malicious executable or configurationfiles and make the user execute them under specific consequences.This is the same issue as in OpenSSH, tracked as CVE-2019-6111.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libssh-config > 0-0 (version in image is 0.9.8-150400.3.12.1).

CVE-2025-54770 Severity: Moderate CVSS3 score: 4.9

Description: A vulnerability has been identified in the GRUB2 bootloader's network module that poses an immediate Denial of Service (DoS) risk. This flaw is a Use-after-Free issue, caused because the net_set_vlan command is not properly unregistered when the network module is unloaded from memory. An attacker who can execute this command can force the system to access memory locations that are no longer valid. Successful exploitation leads directly to system instability, which can result in a complete crash and halt system availability

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
grub2 > 0-0 (version in image is 2.06-150500.29.59.1).

CVE-2025-54771 Severity: Moderate CVSS3 score: 4.9

Description: A use-after-free vulnerability has been identified in the GNU GRUB (Grand Unified Bootloader). The flaw occurs because the file-closing process incorrectly retains a memory pointer, leaving an invalid reference to a file system structure. An attacker could exploit this vulnerability to cause grub to crash, leading to a Denial of Service. Possible data integrity or confidentiality compromise is not discarded.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
grub2 > 0-0 (version in image is 2.06-150500.29.59.1).

CVE-2025-61662 Severity: Moderate CVSS3 score: 4.9

Description: A Use-After-Free vulnerability has been discovered in GRUB's gettext module. This flaw stems from a programming error where the gettext command remains registered in memory after its module is unloaded. An attacker can exploit this condition by invoking the orphaned command, causing the application to access a memory location that is no longer valid. An attacker could exploit this vulnerability to cause grub to crash, leading to a Denial of Service. Possible data integrity or confidentiality compromise is not discarded.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
grub2 > 0-0 (version in image is 2.06-150500.29.59.1).

CVE-2025-61663 Severity: Moderate CVSS3 score: 4.9

Description: A vulnerability has been identified in the GRUB2 bootloader's normal command that poses an immediate Denial of Service (DoS) risk. This flaw is a Use-after-Free issue, caused because the normal command is not properly unregistered when the module is unloaded. An attacker who can execute this command can force the system to access memory locations that are no longer valid. Successful exploitation leads directly to system instability, which can result in a complete crash and halt system availability. Impact on the data integrity and confidentiality is also not discarded.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
grub2 > 0-0 (version in image is 2.06-150500.29.59.1).

CVE-2025-61664 Severity: Moderate CVSS3 score: 4.9

Description: A vulnerability in the GRUB2 bootloader has been identified in the normal module. This flaw, a memory Use After Free issue, occurs because the normal_exit command is not properly unregistered when its related module is unloaded. An attacker can exploit this condition by invoking the command after the module has been removed, causing the system to improperly access a previously freed memory location. This leads to a system crash or possible impacts in data confidentiality and integrity.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
grub2 > 0-0 (version in image is 2.06-150500.29.59.1).

CVE-2025-7039 Severity: Moderate CVSS3 score: 4.9

Description: A flaw was found in glib. An integer overflow during temporary file creation leads to an out-of-bounds memory access, allowing an attacker to potentially perform path traversal or access private temporary file content by creating symbolic links. This vulnerability allows a local attacker to manipulate file paths and access unauthorized data. The core issue stems from insufficient validation of file path lengths during temporary file operations.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
glib2-tools > 0-0 (version in image is 2.70.5-150400.3.29.1).

CVE-2026-1502 Severity: Moderate CVSS3 score: 4.9

Description: CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python3 > 0-0 (version in image is 3.6.15-150300.10.103.1).

CVE-2025-4373 Severity: Moderate CVSS3 score: 4.8

Description: A flaw was found in GLib, which is vulnerable to an integer overflow in the g_string_insert_unichar() function. When the position at which to insert the character is large, the position will overflow, leading to a buffer underwrite.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
glib2-tools > 0-0 (version in image is 2.70.5-150400.3.29.1).

CVE-2025-61661 Severity: Moderate CVSS3 score: 4.8

Description: A vulnerability has been identified in the GRUB (Grand Unified Bootloader) component. This flaw occurs because the bootloader mishandles string conversion when reading information from a USB device, allowing an attacker to exploit inconsistent length values. A local attacker can connect a maliciously configured USB device during the boot sequence to trigger this issue. A successful exploitation may lead GRUB to crash, leading to a Denial of Service. Data corruption may be also possible, although given the complexity of the exploit the impact is most likely limited.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
grub2 > 0-0 (version in image is 2.06-150500.29.59.1).

CVE-2026-34514 Severity: Moderate CVSS3 score: 4.8

Description: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the content_type parameter in aiohttp could use this to inject extra headers or similar exploits. This issue has been patched in version 3.13.4.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python311-aiohttp > 0-0 (version in image is 3.9.3-150400.10.33.1).

CVE-2024-10041 Severity: Moderate CVSS3 score: 4.7

Description: A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications.

Packages affected:

sle-module-basesystem-release == 15.5 (version in image is 15.5-150500.43.2).
pam > 0-0 (version in image is 1.3.0-150000.6.86.1).

CVE-2024-56738 Severity: Moderate CVSS3 score: 4.7

Description: GNU GRUB (aka GRUB2) through 2.12 does not use a constant-time algorithm for grub_crypto_memcmp and thus allows side-channel attacks.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
grub2 > 0-0 (version in image is 2.06-150500.29.59.1).

CVE-2025-1713 Severity: Moderate CVSS3 score: 4.7

Description: When setting up interrupt remapping for legacy PCI(-X) devices,including PCI(-X) bridges, a lookup of the upstream bridge is required.This lookup, itself involving acquiring of a lock, is done in a contextwhere acquiring that lock is unsafe. This can lead to a deadlock.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
xen-libs > 0-0 (version in image is 4.17.6_02-150500.3.56.1).

CVE-2025-8114 Severity: Moderate CVSS3 score: 4.7

Description: A flaw was found in libssh, a library that implements the SSH protocol. When calculating the session ID during the key exchange (KEX) process, an allocation failure in cryptographic functions may lead to a NULL pointer dereference. This issue can cause the client or server to crash.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libssh-config > 0-0 (version in image is 0.9.8-150400.3.12.1).

CVE-2026-27456 Severity: Moderate CVSS3 score: 4.7

Description: util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libblkid1 > 0-0 (version in image is 2.37.4-150500.9.20.1).

CVE-2026-3783 Severity: Moderate CVSS3 score: 4.7

Description: When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transferperforms a redirect to a second URL, curl could leak that token to the secondhostname under some circumstances.If the hostname that the first request is redirected to has information in theused .netrc file, with either of the `machine` or `default` keywords, curlwould pass on the bearer token set for the first host also to the second one.

Packages affected:

sle-module-basesystem-release == 15.5 (version in image is 15.5-150500.43.2).
libcurl4 < 8.14.1-150400.5.80.1 (version in image is 8.14.1-150400.5.72.1).

CVE-2024-40635 Severity: Moderate CVSS3 score: 4.6

Description: containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user. This bug has been fixed in containerd 1.6.38, 1.7.27, and 2.04. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
containerd > 0-0 (version in image is 1.7.29-150000.128.1).

CVE-2026-3784 Severity: Moderate CVSS3 score: 4.6

Description: curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to aserver, even if the new request uses different credentials for the HTTP proxy.The proper behavior is to create or use a separate connection.

Packages affected:

sle-module-basesystem-release == 15.5 (version in image is 15.5-150500.43.2).
libcurl4 < 8.14.1-150400.5.80.1 (version in image is 8.14.1-150400.5.72.1).

CVE-2024-43790 Severity: Moderate CVSS3 score: 4.5

Description: Vim is an open source command line text editor. When performing a search and displaying the search-count message is disabled (:set shm+=S), the search pattern is displayed at the bottom of the screen in a buffer (msgbuf). When right-left mode (:set rl) is enabled, the search pattern is reversed. This happens by allocating a new buffer. If the search pattern contains some ASCII NUL characters, the buffer allocated will be smaller than the original allocated buffer (because for allocating the reversed buffer, the strlen() function is called, which only counts until it notices an ASCII NUL byte ) and thus the original length indicator is wrong. This causes an overflow when accessing characters inside the msgbuf by the previously (now wrong) length of the msgbuf. The issue has been fixed as of Vim patch v9.1.0689.

Packages affected:

sle-module-basesystem-release == 15.5 (version in image is 15.5-150500.43.2).
vim > 0-0 (version in image is 9.1.1629-150500.20.38.1).

CVE-2024-43802 Severity: Moderate CVSS3 score: 4.5

Description: Vim is an improved version of the unix vi text editor. When flushing the typeahead buffer, Vim moves the current position in the typeahead buffer but does not check whether there is enough space left in the buffer to handle the next characters. So this may lead to the tb_off position within the typebuf variable to point outside of the valid buffer size, which can then later lead to a heap-buffer overflow in e.g. ins_typebuf(). Therefore, when flushing the typeahead buffer, check if there is enough space left before advancing the off position. If not, fall back to flush current typebuf contents. It's not quite clear yet, what can lead to this situation. It seems to happen when error messages occur (which will cause Vim to flush the typeahead buffer) in comnination with several long mappgins and so it may eventually move the off position out of a valid buffer size. Impact is low since it is not easily reproducible and requires to have several mappings active and run into some error condition. But when this happens, this will cause a crash. The issue has been fixed as of Vim patch v9.1.0697. Users are advised to upgrade. There are no known workarounds for this issue.

Packages affected:

sle-module-basesystem-release == 15.5 (version in image is 15.5-150500.43.2).
vim > 0-0 (version in image is 9.1.1629-150500.20.38.1).

CVE-2025-11065 Severity: Moderate CVSS3 score: 4.5

Description: A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data processed in security-critical contexts.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
docker > 0-0 (version in image is 28.5.1_ce-150000.238.1).

CVE-2024-45306 Severity: Moderate CVSS3 score: 4.4

Description: Vim is an open source, command line text editor. Patch v9.1.0038 optimized how the cursor position is calculated and removed a loop, that verified that the cursor position always points inside a line and does not become invalid by pointing beyond the end ofa line. Back then we assumed this loop is unnecessary. However, this change made it possible that the cursor position stays invalid and points beyond the end of a line, which would eventually cause a heap-buffer-overflow when trying to access the line pointer atthe specified cursor position. It's not quite clear yet, what can lead to this situation that the cursor points to an invalid position. That's why patch v9.1.0707 does not include a test case. The only observed impact has been a program crash. This issue has been addressed in with the patch v9.1.0707. All users are advised to upgrade.

Packages affected:

sle-module-basesystem-release == 15.5 (version in image is 15.5-150500.43.2).
vim > 0-0 (version in image is 9.1.1629-150500.20.38.1).

CVE-2025-22870 Severity: Moderate CVSS3 score: 4.4

Description: Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
containerd > 0-0 (version in image is 1.7.29-150000.128.1).

CVE-2025-69277 Severity: Moderate CVSS3 score: 4.4

Description: libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libsodium23 > 0-0 (version in image is 1.0.18-150000.4.11.1).

CVE-2025-69720 Severity: Moderate CVSS3 score: 4.4

Description: The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libncurses6 > 0-0 (version in image is 6.1-150000.5.30.1).

CVE-2024-35221 Severity: Moderate CVSS3 score: 4.3

Description: Rubygems.org is the Ruby community's gem hosting service. A Gem publisher can cause a Remote DoS when publishing a Gem. This is due to how Ruby reads the Manifest of Gem files when using Gem::Specification.from_yaml. from_yaml makes use of SafeYAML.load which allows YAML aliases inside the YAML-based metadata of a gem. YAML aliases allow for Denial of Service attacks with so-called `YAML-bombs` (comparable to Billion laughs attacks). This was patched. There is is no action required by users. This issue is also tracked as GHSL-2024-001 and was discovered by the GitHub security lab.

Packages affected:

sle-module-basesystem-release == 15.5 (version in image is 15.5-150500.43.2).
libruby2_5-2_5 > 0-0 (version in image is 2.5.9-150000.4.54.1).

CVE-2025-10158 Severity: Moderate CVSS3 score: 4.3

Description: A malicious client acting as the receiver of an rsync file transfer can trigger an out of bounds read of a heap based buffer, via a negative array index. The malicious rsync client requires at least read access to the remote rsync module in order to trigger the issue.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
rsync > 0-0 (version in image is 3.2.3-150400.3.26.1).

CVE-2025-12084 Severity: Moderate CVSS3 score: 4.3

Description: When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libpython3_11-1_0 < 3.11.15-150400.9.80.1 (version in image is 3.11.14-150400.9.69.1).

CVE-2025-70873 Severity: Moderate CVSS3 score: 4.3

Description: An information disclosure issue in the zipfileInflate function in the zipfile extension in SQLite v3.51.1 and earlier allows attackers to obtain heap memory via supplying a crafted ZIP file.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libsqlite3-0 > 0-0 (version in image is 3.50.2-150000.3.33.1).

CVE-2026-21441 Severity: Moderate CVSS3 score: 4.3

Description: urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted source.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python3-urllib3 > 0-0 (version in image is 1.25.10-150300.4.18.1).

CVE-2025-22134 Severity: Moderate CVSS3 score: 4.2

Description: When switching to other buffers using the :all command and visual mode still being active, this may cause a heap-buffer overflow, because Vim does not properly end visual mode and therefore may try to access beyond the end of a line in a buffer. In Patch 9.1.1003 Vim will correctly reset the visual mode before opening other windows and buffers and therefore fix this bug. In addition it does verify that it won't try to access a position if the position is greater than the corresponding buffer line. Impact is medium since the user must have switched on visual mode when executing the :all ex command. The Vim project would like to thank github user gandalf4a for reporting this issue. The issue has been fixed as of Vim patch v9.1.1003

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
vim > 0-0 (version in image is 9.1.1629-150500.20.38.1).

CVE-2025-24014 Severity: Moderate CVSS3 score: 4.2

Description: Vim is an open source, command line text editor. A segmentation fault was found in Vim before 9.1.1043. In silent Ex mode (-s -e), Vim typically doesn't show a screen and just operates silently in batch mode. However, it is still possible to trigger the function that handles the scrolling of a gui version of Vim by feeding some binary characters to Vim. The function that handles the scrolling however may be triggering a redraw, which will access the ScreenLines pointer, even so this variable hasn't been allocated (since there is no screen). This vulnerability is fixed in 9.1.1043.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
vim > 0-0 (version in image is 9.1.1629-150500.20.38.1).

CVE-2026-35414 Severity: Moderate CVSS3 score: 4.2

Description: OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
openssh > 0-0 (version in image is 8.4p1-150300.3.57.1).

CVE-2025-53905 Severity: Moderate CVSS3 score: 4.1

Description: Vim is an open source, command line text editor. Prior to version 9.1.1552, a path traversal issue in Vim's tar.vim plugin can allow overwriting of arbitrary files when opening specially crafted tar archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1552 contains a patch for the vulnerability.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
vim > 0-0 (version in image is 9.1.1629-150500.20.38.1).

CVE-2025-53906 Severity: Moderate CVSS3 score: 4.1

Description: Vim is an open source, command line text editor. Prior to version 9.1.1551, a path traversal issue in Vim's zip.vim plugin can allow overwriting of arbitrary files when opening specially crafted zip archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1551 contains a patch for the vulnerability.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
vim < 9.2.0110-150500.20.43.1 (version in image is 9.1.1629-150500.20.38.1).

CVE-2026-35177 Severity: Moderate CVSS3 score: 4.1

Description: Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
vim > 0-0 (version in image is 9.1.1629-150500.20.38.1).

CVE-2025-0938 Severity: Moderate CVSS3 score: 4.0

Description: The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python3 > 0-0 (version in image is 3.6.15-150300.10.103.1).

CVE-2025-13837 Severity: Moderate CVSS3 score: 4.0

Description: When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libpython3_11-1_0 < 3.11.15-150400.9.80.1 (version in image is 3.11.14-150400.9.69.1).

CVE-2025-66382 Severity: Moderate CVSS3 score: 4.0

Description: In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libexpat1 > 0-0 (version in image is 2.7.1-150400.3.31.1).

CVE-2025-9820 Severity: Moderate CVSS3 score: 4.0

Description: A flaw was found in the GnuTLS library, specifically in the gnutls_pkcs11_token_init() function that handles PKCS#11 token initialization. When a token label longer than expected is processed, the function writes past the end of a fixed-size stack buffer. This programming error can cause the application using GnuTLS to crash or, in certain conditions, be exploited for code execution. As a result, systems or applications relying on GnuTLS may be vulnerable to a denial of service or local privilege escalation attacks.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libgnutls30 > 0-0 (version in image is 3.7.3-150400.4.53.1).

CVE-2024-45778 Severity: Moderate CVSS3 score: 3.9

Description: A stack overflow flaw was found when reading a BFS file system. A crafted BFS filesystem may lead to an uncontrolled loop, causing grub2 to crash.

Packages affected:

sle-module-basesystem-release == 15.5 (version in image is 15.5-150500.43.2).
grub2 > 0-0 (version in image is 2.06-150500.29.59.1).

CVE-2026-28420 Severity: Low CVSS3 score: 3.9

Description: Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
vim < 9.2.0110-150500.20.43.1 (version in image is 9.1.1629-150500.20.38.1).

CVE-2026-6019 Severity: Low CVSS3 score: 3.8

Description: http.cookies.Morsel.js_output() returns an inline inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python3 > 0-0 (version in image is 3.6.15-150300.10.103.1).

CVE-2026-0989 Severity: Moderate CVSS3 score: 3.7

Description: A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libxml2-2 > 0-0 (version in image is 2.10.3-150500.5.32.1).

CVE-2025-3416 Severity: Low CVSS3 score: 3.7

Description: A flaw was found in OpenSSL's handling of the properties argument in certain functions. This vulnerability can allow use-after-free exploitation, which may result in undefined behavior or incorrect property parsing, leading to OpenSSL treating the input as an empty string.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python311-cryptography > 0-0 (version in image is 41.0.3-150400.16.22.1).

CVE-2025-53643 Severity: Low CVSS3 score: 3.7

Description: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.12.14 contains a patch for this issue.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python311-aiohttp > 0-0 (version in image is 3.9.3-150400.10.33.1).

CVE-2026-0988 Severity: Low CVSS3 score: 3.7

Description: A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an incorrect size being passed to memcpy(), triggering a buffer overflow. This can cause application crashes, leading to a Denial of Service (DoS).

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
glib2-tools < 2.70.5-150400.3.34.1 (version in image is 2.70.5-150400.3.29.1).

CVE-2026-27448 Severity: Low CVSS3 score: 3.7

Description: pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 0.14.0 and prior to version 26.0.0, if a user provided callback to `set_tlsext_servername_callback` raised an unhandled exception, this would result in a connection being accepted. If a user was relying on this callback for any security-sensitive behavior, this could allow bypassing it. Starting in version 26.0.0, unhandled exceptions now result in rejecting the connection.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python311-pyOpenSSL < 23.2.0-150400.3.13.1 (version in image is 23.2.0-150400.3.10.1).

CVE-2026-34513 Severity: Low CVSS3 score: 3.7

Description: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation. This issue has been patched in version 3.13.4.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python311-aiohttp > 0-0 (version in image is 3.9.3-150400.10.33.1).

CVE-2026-34519 Severity: Low CVSS3 score: 3.7

Description: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits. This issue has been patched in version 3.13.4.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python311-aiohttp > 0-0 (version in image is 3.9.3-150400.10.33.1).

CVE-2026-41990 Severity: Moderate CVSS3 score: 3.6

Description: Libgcrypt before 1.12.2 mishandles Dilithium signing. Writes to a static array lack a bounds check but do not use attacker-controlled data.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
grub2 > 0-0 (version in image is 2.06-150500.29.59.1).

CVE-2026-35386 Severity: Low CVSS3 score: 3.6

Description: In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
openssh > 0-0 (version in image is 8.4p1-150300.3.57.1).

CVE-2026-3219 Severity: Moderate CVSS3 score: 3.3

Description: pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python311-pip > 0-0 (version in image is 22.3.1-150400.17.16.4).

CVE-2016-6131 Severity: Low CVSS3 score: 3.3

Description: The demangler in GNU Libiberty allows remote attackers to cause a denial of service (infinite loop, stack overflow, and crash) via a cycle in the references of remembered mangled types.

Packages affected:

sle-module-development-tools-release == 15.5 (version in image is 15.5-150500.43.2).
crash > 0-0 (version in image is 7.3.1-150500.3.4).

CVE-2025-11839 Severity: Low CVSS3 score: 3.3

Description: A security flaw has been discovered in GNU Binutils 2.45. Impacted is the function tg_tag_type of the file prdbg.c. Performing a manipulation results in unchecked return value. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2025-11840 Severity: Low CVSS3 score: 3.3

Description: A weakness has been identified in GNU Binutils 2.45. The affected element is the function vfinfo of the file ldmisc.c. Executing a manipulation can lead to out-of-bounds read. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. This patch is called 16357. It is best practice to apply a patch to resolve this issue.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2025-11961 Severity: Low CVSS3 score: 3.3

Description: pcap_ether_aton() is an auxiliary function in libpcap, it takes a string argument and returns a fixed-size allocated buffer. The string argument must be a well-formed MAC-48 address in one of the supported formats, but this requirement has been poorly documented. If an application calls the function with an argument that deviates from the expected format, the function can read data beyond the end of the provided string and write data beyond the end of the allocated buffer.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libpcap1 > 0-0 (version in image is 1.10.1-150400.3.6.2).

CVE-2025-12781 Severity: Low CVSS3 score: 3.3

Description: When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues.This behavior can only be insecure if your application uses an alternate base64 alphabet (without "+/"). If your application does not use the "altchars" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet.The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 alphabet they are expecting or verify that their application would not be affected if the b64decode() functions accepted "+" or "/" outside of altchars.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libpython3_11-1_0 < 3.11.14-150400.9.75.1 (version in image is 3.11.14-150400.9.69.1).

CVE-2025-2588 Severity: Low CVSS3 score: 3.3

Description: A vulnerability has been found in Hercules Augeas 1.14.1 and classified as problematic. This vulnerability affects the function re_case_expand of the file src/fa.c. The manipulation of the argument re leads to null pointer dereference. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
augeas > 0-0 (version in image is 1.12.0-150400.3.8.1).

CVE-2025-28162 Severity: Low CVSS3 score: 3.3

Description: Buffer Overflow vulnerability in libpng 1.6.43-1.6.46 allows a local attacker to cause a denial of service via the pngimage with AddressSanitizer (ASan), the program leaks memory in various locations, eventually leading to high memory usage and causing the program to become unresponsive

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libpng16-16 < 1.6.34-150000.3.19.1 (version in image is 1.6.34-150000.3.12.1).

CVE-2025-28164 Severity: Low CVSS3 score: 3.3

Description: Buffer Overflow vulnerability in libpng 1.6.43-1.6.46 allows a local attacker to cause a denial of service via png_create_read_struct() function.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libpng16-16 < 1.6.34-150000.3.19.1 (version in image is 1.6.34-150000.3.12.1).

CVE-2025-69645 Severity: Low CVSS3 score: 3.3

Description: Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug information. A logic error in the handling of DWARF compilation units can result in an invalid offset_size value being used inside byte_get_little_endian, leading to an abort (SIGABRT). The issue was observed in binutils 2.44. A local attacker can trigger the crash by supplying a malicious input file.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2025-69649 Severity: Low CVSS3 score: 3.3

Description: GNU Binutils thru 2.46 readelf contains a null pointer dereference vulnerability when processing a crafted ELF binary with malformed header fields. During relocation processing, an invalid or null section pointer may be passed into display_relocations(), resulting in a segmentation fault (SIGSEGV) and abrupt termination. No evidence of memory corruption beyond the null pointer dereference, nor any possibility of code execution, was observed.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2025-69652 Severity: Low CVSS3 score: 3.3

Description: GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an abort (SIGABRT) when processing a crafted ELF binary with malformed DWARF abbrev or debug information. Due to incomplete state cleanup in process_debug_info(), an invalid debug_info_p state may propagate into DWARF attribute parsing routines. When certain malformed attributes result in an unexpected data length of zero, byte_get_little_endian() triggers a fatal abort. No evidence of memory corruption or code execution was observed; the impact is limited to denial of service.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2025-8291 Severity: Low CVSS3 score: 3.3

Description: The 'zipfile' module would not check the validity of the ZIP64 End ofCentral Directory (EOCD) Locator record offset value would not be used tolocate the ZIP64 EOCD record, instead the ZIP64 EOCD record would beassumed to be the previous record in the ZIP archive. This could be abusedto create ZIP archives that are handled differently by the 'zipfile' modulecompared to other ZIP implementations.Remediation maintains this behavior, but checks that the offset specifiedin the ZIP64 EOCD Locator record matches the expected value.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python3 > 0-0 (version in image is 3.6.15-150300.10.103.1).

CVE-2025-8732 Severity: Low CVSS3 score: 3.3

Description: A vulnerability was found in libxml2 up to 2.14.5. It has been declared as problematic. This vulnerability affects the function xmlParseSGMLCatalog of the component xmlcatalog. The manipulation leads to uncontrolled recursion. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The code maintainer explains, that "[t]he issue can only be triggered with untrusted SGML catalogs and it makes absolutely no sense to use untrusted catalogs. I also doubt that anyone is still using SGML catalogs at all."

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
gettext-runtime > 0-0 (version in image is 0.20.2-1.43).

CVE-2026-0965 Severity: Low CVSS3 score: 3.3

Description: A flaw was found in libssh where it can attempt to open arbitrary files during configuration parsing. A local attacker can exploit this by providing a malicious configuration file or when the system is misconfigured. This vulnerability could lead to a Denial of Service (DoS) by causing the system to try and access dangerous files, such as block devices or large system files, which can disrupt normal operations.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libssh-config > 0-0 (version in image is 0.9.8-150400.3.12.1).

CVE-2026-1757 Severity: Low CVSS3 score: 3.3

Description: A flaw was identified in the interactive shell of the xmllint utility, part of the libxml2 project, where memory allocated for user input is not properly released under certain conditions. When a user submits input consisting only of whitespace, the program skips command execution but fails to free the allocated buffer. Repeating this action causes memory to continuously accumulate. Over time, this can exhaust system memory and terminate the xmllint process, creating a denial-of-service condition on the local system.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libxml2-2 > 0-0 (version in image is 2.10.3-150500.5.32.1).

CVE-2026-28422 Severity: Low CVSS3 score: 3.3

Description: Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
vim < 9.2.0110-150500.20.43.1 (version in image is 9.1.1629-150500.20.38.1).

CVE-2026-3479 Severity: Low CVSS3 score: 3.3

Description: DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model.pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libpython3_11-1_0 < 3.11.15-150400.9.85.1 (version in image is 3.11.14-150400.9.69.1).

CVE-2026-4539 Severity: Low CVSS3 score: 3.3

Description: A security flaw has been discovered in pygments up to 2.19.2. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python311-Pygments > 0-0 (version in image is 2.15.1-150400.7.7.4).

CVE-2024-51744 Severity: Moderate CVSS3 score: 3.1

Description: golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by `ParseWithClaims` return both error codes. If users only check for the `jwt.ErrTokenExpired ` using `error.Is`, they will ignore the embedded `jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid tokens. A fix has been back-ported with the error handling logic from the `v5` branch to the `v4` branch. In this logic, the `ParseWithClaims` function will immediately return in "dangerous" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release. We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors ("dangerous" ones first), so that you are not running in the case detailed above.

Packages affected:

sle-module-containers-release == 15.5 (version in image is 15.5-150500.43.2).
docker > 0-0 (version in image is 28.5.1_ce-150000.238.1).

CVE-2025-15224 Severity: Moderate CVSS3 score: 3.1

Description: When doing SSH-based transfers using either SCP or SFTP, and asked to dopublic key authentication, curl would wrongly still ask and authenticate usinga locally running SSH agent.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
curl > 0-0 (version in image is 8.14.1-150400.5.72.1).

CVE-2025-1795 Severity: Low CVSS3 score: 3.1

Description: During an address list folding when a separating comma ends up on a folded line and that line is to be unicode-encoded then the separator itself is also unicode-encoded. Expected behavior is that the separating comma remains a plan comma. This can result in the address header being misinterpreted by some mail servers.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python311 > 0-0 (version in image is 3.11.14-150400.9.69.1).

CVE-2025-8277 Severity: Low CVSS3 score: 3.1

Description: A flaw was found in libssh's handling of key exchange (KEX) processes when a client repeatedly sends incorrect KEX guesses. The library fails to free memory during these rekey operations, which can gradually exhaust system memory. This issue can lead to crashes on the client side, particularly when using libgcrypt, which impacts application stability and availability.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libssh-config > 0-0 (version in image is 0.9.8-150400.3.12.1).

CVE-2026-1703 Severity: Low CVSS3 score: 3.1

Description: When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python311-pip > 0-0 (version in image is 22.3.1-150400.17.16.4).

CVE-2026-34517 Severity: Low CVSS3 score: 3.1

Description: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, for some multipart form fields, aiohttp read the entire field into memory before checking client_max_size. This issue has been patched in version 3.13.4.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
python311-aiohttp > 0-0 (version in image is 3.9.3-150400.10.33.1).

CVE-2026-35387 Severity: Low CVSS3 score: 3.1

Description: OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
openssh > 0-0 (version in image is 8.4p1-150300.3.57.1).

CVE-2025-32415 Severity: Low CVSS3 score: 2.9

Description: In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libxml2-2 > 0-0 (version in image is 2.10.3-150500.5.32.1).

CVE-2025-58767 Severity: Low CVSS3 score: 2.9

Description: REXML is an XML toolkit for Ruby. The REXML gems from 3.3.3 to 3.4.1 has a DoS vulnerability when parsing XML containing multiple XML declarations. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities. The REXML gem 3.4.2 or later include the patches to fix these vulnerabilities.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libruby2_5-2_5 > 0-0 (version in image is 2.5.9-150000.4.54.1).

CVE-2024-58251 Severity: Low CVSS3 score: 2.8

Description: In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
iproute2 > 0-0 (version in image is 5.14-150400.3.3.1).

CVE-2025-1215 Severity: Low CVSS3 score: 2.8

Description: A vulnerability classified as problematic was found in vim up to 9.1.1096. This vulnerability affects unknown code of the file src/main.c. The manipulation of the argument --log leads to memory corruption. It is possible to launch the attack on the local host. Upgrading to version 9.1.1097 is able to address this issue. The patch is identified as c5654b84480822817bb7b69ebc97c174c91185e9. It is recommended to upgrade the affected component.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
vim > 0-0 (version in image is 9.1.1629-150500.20.38.1).

CVE-2025-30258 Severity: Low CVSS3 score: 2.7

Description: In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a "verification DoS."

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
gpg2 > 0-0 (version in image is 2.2.27-150300.3.16.1).

CVE-2025-66863 Severity: Moderate CVSS3 score: 2.5

Description: An issue was discovered in function d_discriminator in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2025-66866 Severity: Moderate CVSS3 score: 2.5

Description: An issue was discovered in function d_abi_tags in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2026-3805 Severity: Moderate CVSS3 score: 2.5

Description: When doing a second SMB request to the same host again, curl would wrongly usea data pointer pointing into already freed memory.

Packages affected:

sle-module-basesystem-release == 15.5 (version in image is 15.5-150500.43.2).
libcurl4 < 8.14.1-150400.5.80.1 (version in image is 8.14.1-150400.5.72.1).

CVE-2025-13462 Severity: Low CVSS3 score: 2.5

Description: The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libpython3_11-1_0 < 3.11.15-150400.9.85.1 (version in image is 3.11.14-150400.9.69.1).

CVE-2025-6075 Severity: Low CVSS3 score: 2.5

Description: If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libpython3_11-1_0 < 3.11.15-150400.9.80.1 (version in image is 3.11.14-150400.9.69.1).

CVE-2025-66861 Severity: Low CVSS3 score: 2.5

Description: An issue was discovered in function d_unqualified_name in file cp-demangle.c in BinUtils 2.26 allowing attackers to cause a denial of service via crafted PE file.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2025-66864 Severity: Low CVSS3 score: 2.5

Description: An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2025-66865 Severity: Low CVSS3 score: 2.5

Description: An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
binutils > 0-0 (version in image is 2.45-150100.7.57.1).

CVE-2026-35388 Severity: Low CVSS3 score: 2.5

Description: OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
openssh > 0-0 (version in image is 8.4p1-150300.3.57.1).

CVE-2026-41080 Severity: Low CVSS3 score: 2.5

Description: libexpat before 2.7.6 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libexpat1 > 0-0 (version in image is 2.7.1-150400.3.31.1).

CVE-2026-0967 Severity: Low CVSS3 score: 2.2

Description: A flaw was found in libssh. A remote attacker, by controlling client configuration files or known_hosts files, could craft specific hostnames that when processed by the `match_pattern()` function can lead to inefficient regular expression backtracking. This can cause timeouts and resource exhaustion, resulting in a Denial of Service (DoS) for the client.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libssh-config > 0-0 (version in image is 0.9.8-150400.3.12.1).

CVE-2026-4176 Severity: Moderate CVSS3 score: None

Description: Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib.Compress::Raw::Zlib is included in the Perl package as a dual-life core module, and is vulnerable to CVE-2026-3381 due to a vendored version of zlib which has several vulnerabilities, including CVE-2026-27171. The bundled Compress::Raw::Zlib was updated to version 2.221 in Perl blead commit c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94.

Packages affected:

sles-release == 15.5 (version in image is 15.5-150500.61.4.1).
libz1 > 0-0 (version in image is 1.2.13-150500.4.3.1).

CVE scan

Summary of CVEs affecting the image: