SB20260409103 - SUSE update for Recommended update for shadow
Published: April 9, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2013-4235)
The vulnerability allows a local user to delete or modify arbitrary files on the system.
The vulnerability exists due to a race condition in shadow-utils when executing usermod/userdel operations. A local user with write access to the directory that is being moved or deleted by the usermod/userdel commands can modify or delete arbitrary files on the system.
Successful exploitation of the vulnerability may allow an attacker to corrupt arbitrary files on the system and perform a denial of service (DoS) attack.
2) Information disclosure (CVE-ID: CVE-2023-4641)
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to an error in gpasswd(1), which fails to clean memory properly. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. A local user with enough access can retrieve the password from the memory.
Remediation
Install update from vendor's website.