SB2026012873 - SUSE update for alloy
Published: January 28, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) UNIX symbolic link following (CVE-ID: CVE-2025-31133)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a symlink following issue within the maskedPaths feature. A local user can create a specially crafted symbolic link to a critical file on the system and overwrite it with privileges of the application.
Successful exploitation of this vulnerability may result in privilege escalation.
2) UNIX symbolic link following (CVE-ID: CVE-2025-52565)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a symlink following issue related to /dev/console mounts. A local user can escape the container using a malicious config and escalate privileges on the system.
3) UNIX symbolic link following (CVE-ID: CVE-2025-52881)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a symlink following issue related to procfs write redirects. A local user can create a specially crafted symbolic link to a critical file on the system and overwrite it with privileges of the application.
Successful exploitation of this vulnerability may result in privilege escalation.
4) Uncontrolled recursion (CVE-ID: CVE-2025-68156)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to uncontrolled recursion within the flatten, min, max, mean, and median function. A remote attacker can pass specially crafted input to the application and perform a denial of service attack.
Remediation
Install update from vendor's website.