SB2026050704 - SUSE update for erlang

Description

This security bulletin contains information about 5 vulnerabilities.

1) Relative Path Traversal (CVE-ID: CVE-2026-21620)

The vulnerability allows a remote user to read and write arbitrary files.

The vulnerability exists due to relative path traversal in the Erlang/OTP TFTP server when handling remote file requests with ../ path components while using the undocumented root_dir option. A remote user can send crafted file requests to read and write arbitrary files.

Exploitation requires that the system designer used the undocumented {root_dir,RootDir} option under incorrect assumptions and that the service is reachable from untrusted hosts.

2) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-23941)

The vulnerability allows a remote attacker to smuggle HTTP requests.

The vulnerability exists due to inconsistent interpretation of HTTP requests in inets httpd Content-Length parsing when processing requests with duplicate Content-Length headers that contain different values. A remote attacker can send a specially crafted request to smuggle HTTP requests.

Exploitation requires httpd to be deployed behind a reverse proxy, load balancer, or CDN that uses a different Content-Length resolution strategy, typically with persistent connections enabled.

3) Path traversal (CVE-ID: CVE-2026-23942)

The vulnerability allows a remote user to access files outside the configured root directory.

The vulnerability exists due to path traversal in ssh_sftpd when validating file paths using string prefix matching for the root option. A remote user can request paths in sibling directories that share a common name prefix to access files outside the configured root directory.

The issue applies only when the root option is configured under the assumption that it provides complete directory isolation.

4) Improper handling of highly compressed data (CVE-ID: CVE-2026-23943)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper handling of highly compressed data in ssh compression handling when decompressing crafted compressed packets. A remote attacker can send compressed packets that expand to excessive sizes when decompressed to cause a denial of service.

The zlib algorithm enables unauthenticated attacks after key exchange, while zlib@openssh.com enables attacks after authentication. When parallel_login=true, memory consumption can reach multiple gigabytes.

5) Incorrect authorization (CVE-ID: CVE-2026-28808)

The vulnerability allows a remote attacker to bypass authorization checks and access protected CGI scripts.

The vulnerability exists due to incorrect authorization in mod_auth and mod_cgi path resolution when handling requests to script_alias CGI targets located outside DocumentRoot. A remote attacker can send a request to a script_alias URL to bypass authorization checks and access protected CGI scripts.

Exploitation requires script_alias to map a URL prefix to a CGI directory outside DocumentRoot while directory-based access controls are configured to protect that external directory.

Remediation

Install update from vendor's website.

References

• https://www.suse.com/support/update/announcement/2026/suse-su-20261714-1/