SB2026042133 - SUSE update for ruby2.5
Published: April 21, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Inefficient regular expression complexity (CVE-ID: CVE-2024-49761)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation when parsing an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
2) Resource exhaustion (CVE-ID: CVE-2025-58767)
The vulnerability allows a local attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when parsing invalid XML containing multiple XML declarations. A local attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
3) Buffer overflow (CVE-ID: CVE-2026-27820)
The vulnerability allows a remote attacker to cause memory corruption.
The vulnerability exists due to buffer overflow in zstream_buffer_ungets() function when parsing input within the Zlib::GzipReader. A remote attacker can provide crafted input that causes the buffer length to exceed its capacity to cause memory corruption.
User interaction is required.
Remediation
Install update from vendor's website.