SUSE alert openSUSE-SU-2025-20020-1 (chromium)

From:
             
 
meissner@suse.com
To:
             
 
security-announce@lists.opensuse.org
Subject:
             
 
openSUSE-SU-2025-20020-1: critical: Security update for chromium
Date:
             
 
Tue, 11 Nov 2025 13:08:06 +0100
Message-ID:
             
 
<20251111120806.9897DFB9C@maintenance.suse.de>
Archive-link:
             
 
Article
openSUSE security update: security update for chromium
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2025-20020-1
Rating: critical
References:

  * bsc#1250472
  * bsc#1250780
  * bsc#1251334



Cross-References:

  * CVE-2025-10890
  * CVE-2025-10891
  * CVE-2025-10892
  * CVE-2025-11205
  * CVE-2025-11206
  * CVE-2025-11207
  * CVE-2025-11208
  * CVE-2025-11209
  * CVE-2025-11210
  * CVE-2025-11211
  * CVE-2025-11212
  * CVE-2025-11213
  * CVE-2025-11215
  * CVE-2025-11216
  * CVE-2025-11219
  * CVE-2025-11458
  * CVE-2025-11460



Affected Products:

         openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 17 vulnerabilities and has 3 bug fixes can now be installed.

Description:

This update for chromium fixes the following issues:

Chromium 141.0.7390.76:

  * Do not send URLs as AIM input. This is to resolve a privacy
    concern, around passing urls to AI Mode.

Chromium 141.0.7390.65 (boo#1251334):

  * CVE-2025-11458: Heap buffer overflow in Sync
  * CVE-2025-11460: Use after free in Storage
  * CVE-2025-11211: Out of bounds read in WebCodecs

Chromium 141.0.7390.54 (stable released 2025-09-30) (boo#1250780)

  * CVE-2025-11205: Heap buffer overflow in WebGPU
  * CVE-2025-11206: Heap buffer overflow in Video
  * CVE-2025-11207: Side-channel information leakage in Storage
  * CVE-2025-11208: Inappropriate implementation in Media
  * CVE-2025-11209: Inappropriate implementation in Omnibox
  * CVE-2025-11210: Side-channel information leakage in Tab
  * CVE-2025-11211: Out of bounds read in Media
  * CVE-2025-11212: Inappropriate implementation in Media
  * CVE-2025-11213: Inappropriate implementation in Omnibox
  * CVE-2025-11215: Off by one error in V8
  * CVE-2025-11216: Inappropriate implementation in Storage
  * CVE-2025-11219: Use after free in V8
  * Various fixes from internal audits, fuzzing and other initiatives

Chromium 141.0.7390.37 (beta released 2025-09-24)

Chromium 140.0.7339.207 (boo#1250472)

  * CVE-2025-10890: Side-channel information leakage in V8
  * CVE-2025-10891: Integer overflow in V8
  * CVE-2025-10892: Integer overflow in V8



Patch instructions:

   To install this openSUSE security update use the suse recommended installation methods
   like YaST online_update or "zypper patch".
   Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

   zypper in -t patch openSUSE-Leap-16.0-packagehub-1=1

Package List:

- openSUSE Leap 16.0:

  chromedriver-141.0.7390.76-bp160.1.1
  chromium-141.0.7390.76-bp160.1.1

References:

  * https://www.suse.com/security/cve/CVE-2025-10890.html
  * https://www.suse.com/security/cve/CVE-2025-10891.html
  * https://www.suse.com/security/cve/CVE-2025-10892.html
  * https://www.suse.com/security/cve/CVE-2025-11205.html
  * https://www.suse.com/security/cve/CVE-2025-11206.html
  * https://www.suse.com/security/cve/CVE-2025-11207.html
  * https://www.suse.com/security/cve/CVE-2025-11208.html
  * https://www.suse.com/security/cve/CVE-2025-11209.html
  * https://www.suse.com/security/cve/CVE-2025-11210.html
  * https://www.suse.com/security/cve/CVE-2025-11211.html
  * https://www.suse.com/security/cve/CVE-2025-11212.html
  * https://www.suse.com/security/cve/CVE-2025-11213.html
  * https://www.suse.com/security/cve/CVE-2025-11215.html
  * https://www.suse.com/security/cve/CVE-2025-11216.html
  * https://www.suse.com/security/cve/CVE-2025-11219.html
  * https://www.suse.com/security/cve/CVE-2025-11458.html
  * https://www.suse.com/security/cve/CVE-2025-11460.html