Main Vulnerability Database SB2026031321

SB2026031321 - SUSE update for apptainer

Published: March 13, 2026

Security Bulletin ID SB2026031321

Severity

Medium

Patch available

YES

Number of vulnerabilities 10

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 10 secuirty vulnerabilities.

1) Race condition (CVE-ID: CVE-2024-45310)

The vulnerability allows a remote attacker to crate empty files and directories on the host.

The vulnerability exists due to a race condition when handling containers with custom configuration. A remote attacker can trick the victim into running a specially crafted Docker or Kubernetes container, which can be used to share a volume between two containers and then exploit a race with os.MkdirAll to create empty files or directories in arbitrary locations in the host filesystem.

Successful exploitation of the vulnerability may allow an attacker to perform a denial of service attack against the host system.

2) Resource exhaustion (CVE-ID: CVE-2025-22869)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources within the ssh package when handling clients that complete the key exchange slowly, or not at all. A remote user can trigger resource exhaustion and perform a denial of service (DoS) attack.

3) Input validation error (CVE-ID: CVE-2025-22870)

The vulnerability allows a remote attacker to alter application's behavior.

The vulnerability exists due to insufficient validation of an IPv6 zone ID as a hostname component, when matching hosts against proxy patterns. For instance the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied. A remote attacker can alter application behavior and potentially gain access to sensitive information or functionality.

4) Input validation error (CVE-ID: CVE-2025-22872)

The vulnerability allows a remote attacker to perform code injection attacks.

The vulnerability exists due to insufficient validation of tags with unquoted attribute values that end with a solidus character (/). The tokenizer can interpret such tags as self-closing, leading to content following such tags as being placed in the wrong scope during DOM construction.

5) Resource exhaustion (CVE-ID: CVE-2025-27144)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when parsing JWS and JWE input. A remote attacker can pass specially crafted data to the application, trigger resource exhaustion and perform a denial of service (DoS) attack.

6) Input validation error (CVE-ID: CVE-2025-47913)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when handling SSH_AGENT_SUCCESS responses in ssh agent. A malicious server can send a specially crafted response to the ssh client and crash it.

7) Out-of-bounds read (CVE-ID: CVE-2025-47914)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to a boundary condition when processing new identity requests in SSH Agent servers. A remote attacker can send specially crafted GSSAPI authentication requests to the application, trigger an out-of-bounds read error and perform a denial of service (DoS) attack.

8) Resource exhaustion (CVE-ID: CVE-2025-58181)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when parsing GSSAPI authentication requests. A remote attacker can send specially crafted GSSAPI authentication requests to the application, trigger resource exhaustion and perform a denial of service (DoS) attack.

9) Protection mechanism failure (CVE-ID: CVE-2025-65105)

The vulnerability allows a local user to bypass implemented security restrictions.

The vulnerability exists due to insufficient implementation of security measures using the "--security" option. A local user can bypass implemented security restrictions and perform otherwise restricted actions.

10) Cryptographic issues (CVE-ID: CVE-2025-8556)

The vulnerability allows a remote attacker to compromise session security.

The vulnerability exists due to an error in FourQ elliptic curve implementation and incorrect point validation during Diffie-Hellman key exchange. A remote attacker can compromise session security via low-order point injection and gain access to sensitive information.

Remediation

Install update from vendor's website.

References

https://www.suse.com/support/update/announcement/2026/suse-su-20260439-1/

Vulnerable Software

SUSE Linux Enterprise Server 15 SP6: LTSS
HPC Module: 15-SP7
SUSE Linux Enterprise Server 15: SP6 - SP7
openSUSE Leap: 15.6
apptainer-sle15_7: before 1.4.5-150600.4.12.1
apptainer-leap: before 1.4.5-150600.4.12.1
apptainer-sle15_6: before 1.4.5-150600.4.12.1
apptainer-sle16: before 1.4.5-150600.4.12.1
apptainer-debuginfo: before 1.4.5-150600.4.12.1
apptainer: before 1.4.5-150600.4.12.1
squashfuse-tools: before 0.5.0-150600.3.2.1
squashfuse-devel: before 0.5.0-150600.3.2.1
squashfuse-tools-debuginfo: before 0.5.0-150600.3.2.1
squashfuse-debuginfo: before 0.5.0-150600.3.2.1
squashfuse: before 0.5.0-150600.3.2.1
libsquashfuse0-debuginfo: before 0.5.0-150600.3.2.1
squashfuse-debugsource: before 0.5.0-150600.3.2.1
libsquashfuse0: before 0.5.0-150600.3.2.1

SB2026031321 - SUSE update for apptainer

Breakdown by Severity

Description

Remediation

References

Please verify you're human