SB2026051961 - SUSE update for erlang26
Published: May 19, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 vulnerabilities.
1) Relative Path Traversal (CVE-ID: CVE-2026-21620)
CWE-ID: CWE-23 - Relative Path Traversal
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to read and write arbitrary files.
The vulnerability exists due to relative path traversal in the Erlang/OTP TFTP server when handling remote file requests with ../ path components while using the undocumented root_dir option. A remote user can send crafted file requests to read and write arbitrary files.
Exploitation requires that the system designer used the undocumented {root_dir,RootDir} option under incorrect assumptions and that the service is reachable from untrusted hosts.
2) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-23941)
CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to smuggle HTTP requests.
The vulnerability exists due to inconsistent interpretation of HTTP requests in inets httpd Content-Length parsing when processing requests with duplicate Content-Length headers that contain different values. A remote attacker can send a specially crafted request to smuggle HTTP requests.
Exploitation requires httpd to be deployed behind a reverse proxy, load balancer, or CDN that uses a different Content-Length resolution strategy, typically with persistent connections enabled.
3) Path traversal (CVE-ID: CVE-2026-23942)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to access files outside the configured root directory.
The vulnerability exists due to path traversal in ssh_sftpd when validating file paths using string prefix matching for the root option. A remote user can request paths in sibling directories that share a common name prefix to access files outside the configured root directory.
The issue applies only when the root option is configured under the assumption that it provides complete directory isolation.
4) Improper handling of highly compressed data (CVE-ID: CVE-2026-23943)
CWE-ID: CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper handling of highly compressed data in ssh compression handling when decompressing crafted compressed packets. A remote attacker can send compressed packets that expand to excessive sizes when decompressed to cause a denial of service.
The zlib algorithm enables unauthenticated attacks after key exchange, while zlib@openssh.com enables attacks after authentication. When parallel_login=true, memory consumption can reach multiple gigabytes.
5) Incorrect authorization (CVE-ID: CVE-2026-28808)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to bypass authorization checks and access protected CGI scripts.
The vulnerability exists due to incorrect authorization in mod_auth and mod_cgi path resolution when handling requests to script_alias CGI targets located outside DocumentRoot. A remote attacker can send a request to a script_alias URL to bypass authorization checks and access protected CGI scripts.
Exploitation requires script_alias to map a URL prefix to a CGI directory outside DocumentRoot while directory-based access controls are configured to protect that external directory.
6) Path traversal (CVE-ID: CVE-2026-32147)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to modify file attributes outside the intended chroot boundary.
The vulnerability exists due to path traversal in the ssh_sftpd SFTP daemon when handling SSH_FXP_FSETSTAT on file handles created from user-supplied paths. A remote user can create a corresponding path inside the chroot and issue a crafted SSH_FXP_FSETSTAT request to modify file attributes outside the intended chroot boundary.
Only servers configured with the root option are vulnerable, and the target file must already exist on the real filesystem. File contents cannot be read or modified through this issue.
Remediation
Install update from vendor's website.