libmunge2-0.5.18-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2026:10178-1 Final 1 1 2026-02-11T00:00:00Z current 2026-02-11T00:00:00Z 2026-02-11T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libmunge2-0.5.18-1.1 on GA media These are all security issues fixed in the libmunge2-0.5.18-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2026-10178 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2026-25506/ SUSE CVE CVE-2026-25506 page openSUSE Tumbleweed libmunge2-0.5.18-1.1 munge-0.5.18-1.1 munge-devel-0.5.18-1.1 libmunge2-0.5.18-1.1 as a component of openSUSE Tumbleweed munge-0.5.18-1.1 as a component of openSUSE Tumbleweed munge-devel-0.5.18-1.1 as a component of openSUSE Tumbleweed MUNGE is an authentication service for creating and validating user credentials. From 0.5 to 0.5.17, local attacker can exploit a buffer overflow vulnerability in munged (the MUNGE authentication daemon) to leak cryptographic key material from process memory. With the leaked key material, the attacker could forge arbitrary MUNGE credentials to impersonate any user (including root) to services that rely on MUNGE for authentication. The vulnerability allows a buffer overflow by sending a crafted message with an oversized address length field, corrupting munged's internal state and enabling extraction of the MAC subkey used for credential verification. This vulnerability is fixed in 0.5.18. CVE-2026-25506 openSUSE Tumbleweed:libmunge2-0.5.18-1.1 openSUSE Tumbleweed:munge-0.5.18-1.1 openSUSE Tumbleweed:munge-devel-0.5.18-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2026-25506.html CVE-2026-25506 https://bugzilla.suse.com/1257651 SUSE Bug 1257651