SB2026051859 - SUSE update for ovmf
Published: May 18, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 vulnerabilities.
1) Buffer underflow (CVE-ID: CVE-2026-25833)
CWE-ID: CWE-124 - Buffer Underwrite ('Buffer Underflow')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in x509_inet_pton_ipv6() when parsing IPv6 address input. A remote attacker can send a specially crafted IPv6 address string to cause a buffer underread of up to 4 bytes, potentially leading to a denial of service.
In rare cases, the buffer underread may cross a page boundary and trigger a memory access violation, resulting in a crash.
2) Improper access control (CVE-ID: CVE-2026-25834)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass security policies.
The vulnerability exists due to improper access control in the TLS 1.2 signature algorithm negotiation component when processing server responses during handshake. A remote attacker can send a specially crafted server response to cause the client to accept a signature algorithm not previously advertised in the client hello, leading to a security policy bypass.
The issue affects only TLS 1.2 connections and occurs when the server ignores the signature algorithms extension sent by the client. The client fails to enforce the configured policy via mbedtls_ssl_conf_sig_algs().
3) Use of insufficiently random values (CVE-ID: CVE-2026-25835)
CWE-ID: CWE-330 - Use of Insufficiently Random Values
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to obtain predictable random numbers.
The vulnerability exists due to insufficient randomness in the PSA random generator when application state is cloned. A local user can exploit system or application cloning scenarios such as fork(), VM cloning, or hibernation resume to cause multiple instances to generate identical random outputs, enabling prediction of cryptographic keys and nonces.
Applications that use the PSA random generator are affected when the system or application state is cloned without reseeding the generator. This includes scenarios such as fork() on Unix-like systems, virtual machine cloning, and resuming hibernation images multiple times.
4) NULL pointer dereference (CVE-ID: CVE-2026-34874)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper memory management in the function mbedtls_x509_string_to_names() when processing user-supplied distinguished names. A remote attacker can cause a memory allocation failure during the execution of mbedtls_x509_string_to_names() to trigger a null pointer dereference, leading to arbitrary code execution on systems without memory protection at address 0.
On platforms with memory protection, this may result in a segmentation fault or denial of service instead of code execution.
Remediation
Install update from vendor's website.