SUSE update for go1.24
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2025-22866 CVE-2025-22867 |
| CWE-ID | CWE-401 CWE-94 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
Development Tools Module Operating systems & Components / Operating system SUSE Linux Enterprise Real Time 15 Operating systems & Components / Operating system openSUSE Leap Operating systems & Components / Operating system SUSE Linux Enterprise Server for SAP Applications 15 Operating systems & Components / Operating system SUSE Linux Enterprise Server 15 Operating systems & Components / Operating system SUSE Linux Enterprise Desktop 15 Operating systems & Components / Operating system go1.24 Operating systems & Components / Operating system package or component go1.24-race Operating systems & Components / Operating system package or component go1.24-doc Operating systems & Components / Operating system package or component |
| Vendor | SUSE |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Memory leak
EUVDB-ID: #VU103932
Risk: Low
CVSSv4.0: 0.4 [CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-22866
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to a small number of bits of secret scalars are leaked on the ppc64le architecture in crypto/internal/nistec. A local user can gain access to potentially sensitive information.
Update the affected package go1.24 to the latest version.
Vulnerable software versionsDevelopment Tools Module: 15-SP6
SUSE Linux Enterprise Real Time 15: SP6
openSUSE Leap: 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP6
SUSE Linux Enterprise Server 15: SP6
SUSE Linux Enterprise Desktop 15: SP6
go1.24: before 1.24 rc3-150000.1.6.1
go1.24-race: before 1.24 rc3-150000.1.6.1
go1.24-doc: before 1.24 rc3-150000.1.6.1
CPE2.3- cpe:2.3:o:suse:development_tools_module:15-SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:opensuse_leap:15.6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:a:suse:go1_24:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:go1_24-race:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:go1_24-doc:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2025/suse-su-20250431-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Code Injection
EUVDB-ID: #VU103933
Risk: Low
CVSSv4.0: 4.1 [CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-22867
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to usage of the @executable_path, @loader_path, or @rpath special values in a "#cgo LDFLAGS" directive. A local user can trigger code execution while building a Go module which contains CGO when using the Apple version of ld.
MitigationUpdate the affected package go1.24 to the latest version.
Vulnerable software versionsDevelopment Tools Module: 15-SP6
SUSE Linux Enterprise Real Time 15: SP6
openSUSE Leap: 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP6
SUSE Linux Enterprise Server 15: SP6
SUSE Linux Enterprise Desktop 15: SP6
go1.24: before 1.24 rc3-150000.1.6.1
go1.24-race: before 1.24 rc3-150000.1.6.1
go1.24-doc: before 1.24 rc3-150000.1.6.1
CPE2.3- cpe:2.3:o:suse:development_tools_module:15-SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:opensuse_leap:15.6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:a:suse:go1_24:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:go1_24-race:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:go1_24-doc:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2025/suse-su-20250431-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
