SB2026041667 - SUSE update for ovmf
Published: April 16, 2026
Security Bulletin ID
SB2026041667
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Covert Timing Channel (CVE-ID: CVE-2025-59438)
The vulnerability allows an attacker to perform padding oracle attack.
The vulnerability exists due to padding oracle through timing of cipher error reporting. An attacker can recover plain texts encrypted with CBC-PKCS7 or other symmetric encryption mode using padding when it is decrypted through the PSA API.
Remediation
Install update from vendor's website.