|
|
Log in / Subscribe / Register

SUSE alert openSUSE-SU-2026:20133-1 (glibc)



From:
              null@suse.de


To:
              security-announce@lists.opensuse.org


Subject:
              openSUSE-SU-2026:20133-1: important: Security update for glibc


Date:
              Tue, 03 Feb 2026 15:24:45 +0100


Message-ID:
              <20260203142445.8DABAFE86@maintenance.suse.de>


Archive-link:
              Article


openSUSE security update: security update for glibc
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20133-1
Rating: important
References:

  * bsc#1236282
  * bsc#1256436
  * bsc#1256766
  * bsc#1256822
  * bsc#1257005



Cross-References:

  * CVE-2025-0395
  * CVE-2025-15281
  * CVE-2026-0861
  * CVE-2026-0915



CVSS scores:

  * CVE-2025-0395 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
  * CVE-2025-0395 ( SUSE ): 2 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
  * CVE-2025-15281 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  * CVE-2025-15281 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
  * CVE-2026-0861 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  * CVE-2026-0861 ( SUSE ): 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
  * CVE-2026-0915 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  * CVE-2026-0915 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Products:

         openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 4 vulnerabilities and has 5 bug fixes can now be installed.

Description:

This update for glibc fixes the following issues:

Security fixes:

- CVE-2025-0395: Fixed buffer overflow in the assert() function (bsc#1236282).
- CVE-2026-0861: Fixed inadequate size check in the memalign suite may result in an integer
overflow (bsc#1256766).
- CVE-2026-0915: Fixed uninitialized stack buffer used as DNS query name when net==0 in
_nss_dns_getnetbyaddr_r (bsc#1256822).
- CVE-2025-15281: Fixed uninitialized memory may cause the process abort (bsc#1257005).

Other fixes:

- NPTL: Optimize trylock for high cache contention workloads (bsc#1256436)


Patch instructions:

   To install this openSUSE security update use the suse recommended installation methods
   like YaST online_update or "zypper patch".
   Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

   zypper in -t patch openSUSE-Leap-16.0-218=1

Package List:

- openSUSE Leap 16.0:

  cross-aarch64-glibc-devel-2.40-160000.3.1
  cross-ppc64le-glibc-devel-2.40-160000.3.1
  cross-riscv64-glibc-devel-2.40-160000.3.1
  cross-s390x-glibc-devel-2.40-160000.3.1
  glibc-2.40-160000.3.1
  glibc-devel-2.40-160000.3.1
  glibc-devel-static-2.40-160000.3.1
  glibc-extra-2.40-160000.3.1
  glibc-gconv-modules-extra-2.40-160000.3.1
  glibc-html-2.40-160000.3.1
  glibc-i18ndata-2.40-160000.3.1
  glibc-info-2.40-160000.3.1
  glibc-lang-2.40-160000.3.1
  glibc-locale-2.40-160000.3.1
  glibc-locale-base-2.40-160000.3.1
  glibc-profile-2.40-160000.3.1
  glibc-utils-2.40-160000.3.1

References:

  * https://www.suse.com/security/cve/CVE-2025-0395.html
  * https://www.suse.com/security/cve/CVE-2025-15281.html
  * https://www.suse.com/security/cve/CVE-2026-0861.html
  * https://www.suse.com/security/cve/CVE-2026-0915.html
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds