SB2025121754 - SUSE update for xkbcomp
Published: December 17, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2018-15853)
The vulnerability allows a local attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to endless recursion exists in xkbcomp/expr.c during insufficient validation of user-supplied input. A local attacker can supply a specially crafted keymap file, trigger boolean negation and cause the application to crash.
2) Null pointer dereference (CVE-ID: CVE-2018-15859)
The vulnerability allows a local attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer usage condition by the ExprResolveLhs function, as defined in the xkbcomp/expr.c source code file. A local attacker can submit a specially crafted keymap file that submits malicious input, trigger NULL pointer dereference and cause the application to crash.
3) Null pointer dereference (CVE-ID: CVE-2018-15861)
The vulnerability allows a local attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer usage condition by the ExprResolveLhs function, as defined in the xkbcomp/expr.c source code file. A local attacker can submit a specially crafted keymap file that submits malicious input, trigger an xkb_intern_atom failure and cause the application to crash.
4) Null pointer dereference (CVE-ID: CVE-2018-15863)
The vulnerability allows a local attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer usage condition by the ResolveStateAndPredicate function, as defined in the xkbcomp/compat.c source code file. A local attacker can submit a specially crafted keymap file that submits malicious input to an affected system with a no-op modmaskexpression, trigger NULL pointer dereference and cause the application to crash.
Remediation
Install update from vendor's website.