{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"important"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2025-64076","title":"Title"},{"category":"description","text":"Multiple vulnerabilities exist in cbor2 through version 5.7.0 in the decode_definite_long_string() function of the C extension decoder (source/decoder.c): (1) Integer Underflow Leading to Out-of-Bounds Read (CWE-191, CWE-125): An incorrect variable reference and missing state reset in the chunk processing loop causes buffer_length to not be reset to zero after UTF-8 character consumption. This results in subsequent chunk_length calculations producing negative values (e.g., chunk_length = 65536 - buffer_length), which are passed as signed integers to the read() method, potentially triggering unlimited read operations and resource exhaustion. (2) Memory Leak via Missing Reference Count Release (CWE-401): The main processing loop fails to release Python object references (Py_DECREF) for chunk objects allocated in each iteration. For CBOR strings longer than 65536 bytes, this causes cumulative memory leaks proportional to the payload size, enabling memory exhaustion attacks through repeated processing of large CBOR payloads. Both vulnerabilities can be exploited remotely without authentication by sending specially-crafted CBOR data containing definite-length text strings with multi-byte UTF-8 characters positioned at 65536-byte chunk boundaries. Successful exploitation results in denial of service through process crashes (CBORDecodeEOF exceptions) or memory exhaustion. The vulnerabilities affect all applications using cbor2's C extension to process untrusted CBOR data, including web APIs, IoT data collectors, and message queue processors. Fixed in commit 851473490281f82d82560b2368284ef33cf6e8f9 pushed with released version 5.7.1.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2025-64076","url":"https://www.suse.com/security/cve/CVE-2025-64076"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1253746 for CVE-2025-64076","url":"https://bugzilla.suse.com/1253746"},{"category":"external","summary":"Advisory link for SUSE-SU-2025:21168-1","url":"https://lists.suse.com/pipermail/sle-security-updates/2025-December/023501.html"}],"title":"SUSE CVE CVE-2025-64076","tracking":{"current_release_date":"2025-12-26T00:23:57Z","generator":{"date":"2025-11-20T00:23:10Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2025-64076","initial_release_date":"2025-11-20T00:23:10Z","revision_history":[{"date":"2025-11-20T00:23:10Z","number":"2","summary":"Current version"},{"date":"2025-12-05T00:24:15Z","number":"3","summary":"Current version"},{"date":"2025-12-11T00:23:47Z","number":"4","summary":"more updates released,references added"},{"date":"2025-12-12T00:25:07Z","number":"5","summary":"unknown changes"},{"date":"2025-12-26T00:23:57Z","number":"6","summary":"unknown changes"}],"status":"interim","version":"6"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"SUSE Linux Enterprise Server 16.0","product":{"name":"SUSE Linux Enterprise Server 16.0","product_id":"SUSE Linux Enterprise Server 16.0","product_identification_helper":{"cpe":"cpe:/o:suse:sles:16:16.0:server"}}},{"category":"product_name","name":"SUSE Linux Enterprise Server for SAP applications 16.0","product":{"name":"SUSE Linux Enterprise Server for SAP applications 16.0","product_id":"SUSE Linux Enterprise Server for SAP applications 16.0","product_identification_helper":{"cpe":"cpe:/o:suse:sles:16:16.0:server-sap"}}},{"category":"product_name","name":"openSUSE Leap 16.0","product":{"name":"openSUSE Leap 16.0","product_id":"openSUSE Leap 16.0"}},{"category":"product_version","name":"python313-cbor2-5.6.5-160000.3.1","product":{"name":"python313-cbor2-5.6.5-160000.3.1","product_id":"python313-cbor2-5.6.5-160000.3.1","product_identification_helper":{"purl":"pkg:rpm/suse/python313-cbor2@5.6.5-160000.3.1?upstream=python-cbor2-5.6.5-160000.3.1.src.rpm"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"python313-cbor2-5.6.5-160000.3.1 as component of SUSE Linux Enterprise Server 16.0","product_id":"SUSE Linux Enterprise Server 16.0:python313-cbor2-5.6.5-160000.3.1"},"product_reference":"python313-cbor2-5.6.5-160000.3.1","relates_to_product_reference":"SUSE Linux Enterprise Server 16.0"},{"category":"default_component_of","full_product_name":{"name":"python313-cbor2-5.6.5-160000.3.1 as component of SUSE Linux Enterprise Server for SAP applications 16.0","product_id":"SUSE Linux Enterprise Server for SAP applications 16.0:python313-cbor2-5.6.5-160000.3.1"},"product_reference":"python313-cbor2-5.6.5-160000.3.1","relates_to_product_reference":"SUSE Linux Enterprise Server for SAP applications 16.0"},{"category":"default_component_of","full_product_name":{"name":"python313-cbor2-5.6.5-160000.3.1 as component of openSUSE Leap 16.0","product_id":"openSUSE Leap 16.0:python313-cbor2-5.6.5-160000.3.1"},"product_reference":"python313-cbor2-5.6.5-160000.3.1","relates_to_product_reference":"openSUSE Leap 16.0"}]},"vulnerabilities":[{"cve":"CVE-2025-64076","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2025-64076"}],"notes":[{"category":"general","text":"Multiple vulnerabilities exist in cbor2 through version 5.7.0 in the decode_definite_long_string() function of the C extension decoder (source/decoder.c): (1) Integer Underflow Leading to Out-of-Bounds Read (CWE-191, CWE-125): An incorrect variable reference and missing state reset in the chunk processing loop causes buffer_length to not be reset to zero after UTF-8 character consumption. This results in subsequent chunk_length calculations producing negative values (e.g., chunk_length = 65536 - buffer_length), which are passed as signed integers to the read() method, potentially triggering unlimited read operations and resource exhaustion. (2) Memory Leak via Missing Reference Count Release (CWE-401): The main processing loop fails to release Python object references (Py_DECREF) for chunk objects allocated in each iteration. For CBOR strings longer than 65536 bytes, this causes cumulative memory leaks proportional to the payload size, enabling memory exhaustion attacks through repeated processing of large CBOR payloads. Both vulnerabilities can be exploited remotely without authentication by sending specially-crafted CBOR data containing definite-length text strings with multi-byte UTF-8 characters positioned at 65536-byte chunk boundaries. Successful exploitation results in denial of service through process crashes (CBORDecodeEOF exceptions) or memory exhaustion. The vulnerabilities affect all applications using cbor2's C extension to process untrusted CBOR data, including web APIs, IoT data collectors, and message queue processors. Fixed in commit 851473490281f82d82560b2368284ef33cf6e8f9 pushed with released version 5.7.1.","title":"CVE description"}],"product_status":{"first_fixed":["SUSE Linux Enterprise Server 16.0:python313-cbor2-5.6.5-160000.3.1"],"recommended":["SUSE Linux Enterprise Server 16.0:python313-cbor2-5.6.5-160000.3.1","SUSE Linux Enterprise Server for SAP applications 16.0:python313-cbor2-5.6.5-160000.3.1","openSUSE Leap 16.0:python313-cbor2-5.6.5-160000.3.1"]},"references":[{"category":"external","summary":"CVE-2025-64076","url":"https://www.suse.com/security/cve/CVE-2025-64076"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1253746 for CVE-2025-64076","url":"https://bugzilla.suse.com/1253746"},{"category":"external","summary":"Advisory link for SUSE-SU-2025:21168-1","url":"https://lists.suse.com/pipermail/sle-security-updates/2025-December/023501.html"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["SUSE Linux Enterprise Server 16.0:python313-cbor2-5.6.5-160000.3.1","SUSE Linux Enterprise Server for SAP applications 16.0:python313-cbor2-5.6.5-160000.3.1","openSUSE Leap 16.0:python313-cbor2-5.6.5-160000.3.1"]}],"scores":[{"cvss_v3":{"baseScore":7.1,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:H","version":"3.1"},"products":["SUSE Linux Enterprise Server 16.0:python313-cbor2-5.6.5-160000.3.1","SUSE Linux Enterprise Server for SAP applications 16.0:python313-cbor2-5.6.5-160000.3.1","openSUSE Leap 16.0:python313-cbor2-5.6.5-160000.3.1"]}],"threats":[{"category":"impact","date":"2025-11-18T19:04:20Z","details":"important"}],"title":"CVE-2025-64076"}]}