{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"moderate"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2025-9394","title":"Title"},{"category":"description","text":"A flaw has been found in PoDoFo 1.1.0-dev. This issue affects the function PdfTokenizer::DetermineDataType of the file src/podofo/main/PdfTokenizer.cpp of the component PDF Dictionary Parser. Executing manipulation can lead to use after free. It is possible to launch the attack on the local host. The exploit has been published and may be used. This patch is called 22d16cb142f293bf956f66a4d399cdd65576d36c. A patch should be applied to remediate this issue.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2025-9394","url":"https://www.suse.com/security/cve/CVE-2025-9394"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1248599 for CVE-2025-9394","url":"https://bugzilla.suse.com/1248599"}],"title":"SUSE CVE CVE-2025-9394","tracking":{"current_release_date":"2025-12-19T00:47:13Z","generator":{"date":"2025-08-25T23:33:40Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2025-9394","initial_release_date":"2025-08-25T23:33:40Z","revision_history":[{"date":"2025-08-25T23:33:40Z","number":"2","summary":"Current version"},{"date":"2025-12-17T00:47:38Z","number":"3","summary":"description changed"},{"date":"2025-12-19T00:47:13Z","number":"4","summary":"description changed"}],"status":"interim","version":"4"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"SUSE Linux Enterprise Module for Package Hub 15 SP6","product":{"name":"SUSE Linux Enterprise Module for Package Hub 15 SP6","product_id":"SUSE Linux Enterprise Module for Package Hub 15 SP6","product_identification_helper":{"cpe":"cpe:/o:suse:packagehub:15:sp6"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Package Hub 15 SP7","product":{"name":"SUSE Linux Enterprise Module for Package Hub 15 SP7","product_id":"SUSE Linux Enterprise Module for Package Hub 15 SP7","product_identification_helper":{"cpe":"cpe:/o:suse:packagehub:15:sp7"}}},{"category":"product_name","name":"SUSE Linux Enterprise Server 12 SP5-LTSS","product":{"name":"SUSE Linux Enterprise Server 12 SP5-LTSS","product_id":"SUSE Linux Enterprise Server 12 SP5-LTSS","product_identification_helper":{"cpe":"cpe:/o:suse:sles-ltss:12:sp5"}}},{"category":"product_name","name":"SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security","product":{"name":"SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security","product_id":"SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security","product_identification_helper":{"cpe":"cpe:/o:suse:sles-ltss-extended-security:12:sp5"}}},{"category":"product_name","name":"openSUSE Leap 15.6","product":{"name":"openSUSE Leap 15.6","product_id":"openSUSE Leap 15.6","product_identification_helper":{"cpe":"cpe:/o:opensuse:leap:15.6"}}},{"category":"product_version","name":"libpodofo-devel","product":{"name":"libpodofo-devel","product_id":"libpodofo-devel","product_identification_helper":{"cpe":"cpe:2.3:a:podofo_project:podofo:*:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/libpodofo-devel@?upstream=podofo.src.rpm"}}},{"category":"product_version","name":"libpodofo0_9_6","product":{"name":"libpodofo0_9_6","product_id":"libpodofo0_9_6","product_identification_helper":{"cpe":"cpe:2.3:a:podofo_project:podofo:*:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/libpodofo0_9_6@?upstream=podofo.src.rpm"}}},{"category":"product_version","name":"podofo","product":{"name":"podofo","product_id":"podofo","product_identification_helper":{"cpe":"cpe:2.3:a:podofo_project:podofo:*:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/podofo@?upstream=podofo.src.rpm"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"libpodofo-devel as component of SUSE Linux Enterprise Module for Package Hub 15 SP6","product_id":"SUSE Linux Enterprise Module for Package Hub 15 SP6:libpodofo-devel"},"product_reference":"libpodofo-devel","relates_to_product_reference":"SUSE Linux Enterprise Module for Package Hub 15 SP6"},{"category":"default_component_of","full_product_name":{"name":"libpodofo0_9_6 as component of SUSE Linux Enterprise Module for Package Hub 15 SP6","product_id":"SUSE Linux Enterprise Module for Package Hub 15 SP6:libpodofo0_9_6"},"product_reference":"libpodofo0_9_6","relates_to_product_reference":"SUSE Linux Enterprise Module for Package Hub 15 SP6"},{"category":"default_component_of","full_product_name":{"name":"podofo as component of SUSE Linux Enterprise Module for Package Hub 15 SP6","product_id":"SUSE Linux Enterprise Module for Package Hub 15 SP6:podofo"},"product_reference":"podofo","relates_to_product_reference":"SUSE Linux Enterprise Module for Package Hub 15 SP6"},{"category":"default_component_of","full_product_name":{"name":"libpodofo-devel as component of SUSE Linux Enterprise Module for Package Hub 15 SP7","product_id":"SUSE Linux Enterprise Module for Package Hub 15 SP7:libpodofo-devel"},"product_reference":"libpodofo-devel","relates_to_product_reference":"SUSE Linux Enterprise Module for Package Hub 15 SP7"},{"category":"default_component_of","full_product_name":{"name":"libpodofo0_9_6 as component of SUSE Linux Enterprise Module for Package Hub 15 SP7","product_id":"SUSE Linux Enterprise Module for Package Hub 15 SP7:libpodofo0_9_6"},"product_reference":"libpodofo0_9_6","relates_to_product_reference":"SUSE Linux Enterprise Module for Package Hub 15 SP7"},{"category":"default_component_of","full_product_name":{"name":"podofo as component of SUSE Linux Enterprise Module for Package Hub 15 SP7","product_id":"SUSE Linux Enterprise Module for Package Hub 15 SP7:podofo"},"product_reference":"podofo","relates_to_product_reference":"SUSE Linux Enterprise Module for Package Hub 15 SP7"},{"category":"default_component_of","full_product_name":{"name":"libpodofo-devel as component of SUSE Linux Enterprise Server 12 SP5-LTSS","product_id":"SUSE Linux Enterprise Server 12 SP5-LTSS:libpodofo-devel"},"product_reference":"libpodofo-devel","relates_to_product_reference":"SUSE Linux Enterprise Server 12 SP5-LTSS"},{"category":"default_component_of","full_product_name":{"name":"podofo as component of SUSE Linux Enterprise Server 12 SP5-LTSS","product_id":"SUSE Linux Enterprise Server 12 SP5-LTSS:podofo"},"product_reference":"podofo","relates_to_product_reference":"SUSE Linux Enterprise Server 12 SP5-LTSS"},{"category":"default_component_of","full_product_name":{"name":"podofo as component of SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security","product_id":"SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security:podofo"},"product_reference":"podofo","relates_to_product_reference":"SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security"},{"category":"default_component_of","full_product_name":{"name":"libpodofo-devel as component of openSUSE Leap 15.6","product_id":"openSUSE Leap 15.6:libpodofo-devel"},"product_reference":"libpodofo-devel","relates_to_product_reference":"openSUSE Leap 15.6"},{"category":"default_component_of","full_product_name":{"name":"libpodofo0_9_6 as component of openSUSE Leap 15.6","product_id":"openSUSE Leap 15.6:libpodofo0_9_6"},"product_reference":"libpodofo0_9_6","relates_to_product_reference":"openSUSE Leap 15.6"},{"category":"default_component_of","full_product_name":{"name":"podofo as component of openSUSE Leap 15.6","product_id":"openSUSE Leap 15.6:podofo"},"product_reference":"podofo","relates_to_product_reference":"openSUSE Leap 15.6"}]},"vulnerabilities":[{"cve":"CVE-2025-9394","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2025-9394"}],"notes":[{"category":"general","text":"A flaw has been found in PoDoFo 1.1.0-dev. This issue affects the function PdfTokenizer::DetermineDataType of the file src/podofo/main/PdfTokenizer.cpp of the component PDF Dictionary Parser. Executing manipulation can lead to use after free. It is possible to launch the attack on the local host. The exploit has been published and may be used. This patch is called 22d16cb142f293bf956f66a4d399cdd65576d36c. A patch should be applied to remediate this issue.","title":"CVE description"}],"product_status":{"known_not_affected":["SUSE Linux Enterprise Module for Package Hub 15 SP6:libpodofo-devel","SUSE Linux Enterprise Module for Package Hub 15 SP6:libpodofo0_9_6","SUSE Linux Enterprise Module for Package Hub 15 SP6:podofo","SUSE Linux Enterprise Module for Package Hub 15 SP7:libpodofo-devel","SUSE Linux Enterprise Module for Package Hub 15 SP7:libpodofo0_9_6","SUSE Linux Enterprise Module for Package Hub 15 SP7:podofo","SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security:podofo","SUSE Linux Enterprise Server 12 SP5-LTSS:libpodofo-devel","SUSE Linux Enterprise Server 12 SP5-LTSS:podofo","openSUSE Leap 15.6:libpodofo-devel","openSUSE Leap 15.6:libpodofo0_9_6","openSUSE Leap 15.6:podofo"]},"references":[{"category":"external","summary":"CVE-2025-9394","url":"https://www.suse.com/security/cve/CVE-2025-9394"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1248599 for CVE-2025-9394","url":"https://bugzilla.suse.com/1248599"}],"threats":[{"category":"impact","date":"2025-08-24T18:00:15Z","details":"moderate"}],"title":"CVE-2025-9394"}]}