Security update for cJSON SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2026:20340-1 Final 1 1 2026-03-11T08:21:26Z current 2026-03-11T08:21:26Z 2026-03-11T08:21:26Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for cJSON This update for cJSON fixes the following issues: - Update to version 1.7.19 * Check for NULL in cJSON_DetachItemViaPointer. * Check overlap before calling strcpy in cJSON_SetValuestring. * Fix Max recursion depth for cJSON_Duplicate to prevent stack exhaustion. * Allocate memory for the temporary buffer when paring numbers. This fixes CVE-2023-26819. (bsc#1241502) * Fix the incorrect check in decode_array_index_from_pointer. This fixes CVE-2025-57052. (bsc#1249112) - Remove not longer needed patch for NULL to deallocated pointers. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Leap-16.0-369 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1241502 SUSE Bug 1241502 https://bugzilla.suse.com/1249112 SUSE Bug 1249112 https://www.suse.com/security/cve/CVE-2023-26819/ SUSE CVE CVE-2023-26819 page https://www.suse.com/security/cve/CVE-2025-57052/ SUSE CVE CVE-2025-57052 page openSUSE Leap 16.0 cJSON-devel-1.7.19-160000.1.1 libcjson1-1.7.19-160000.1.1 cJSON-devel-1.7.19-160000.1.1 as a component of openSUSE Leap 16.0 libcjson1-1.7.19-160000.1.1 as a component of openSUSE Leap 16.0 cJSON 1.7.15 might allow a denial of service via a crafted JSON document such as {"a": true, "b": [ null,9999999999999999999999999999999999999999999999912345678901234567]}. CVE-2023-26819 openSUSE Leap 16.0:cJSON-devel-1.7.19-160000.1.1 openSUSE Leap 16.0:libcjson1-1.7.19-160000.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-26819.html CVE-2023-26819 https://bugzilla.suse.com/1241502 SUSE Bug 1241502 cJSON 1.5.0 through 1.7.18 allows out-of-bounds access via the decode_array_index_from_pointer function in cJSON_Utils.c, allowing remote attackers to bypass array bounds checking and access restricted data via malformed JSON pointer strings containing alphanumeric characters. CVE-2025-57052 openSUSE Leap 16.0:cJSON-devel-1.7.19-160000.1.1 openSUSE Leap 16.0:libcjson1-1.7.19-160000.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-57052.html CVE-2025-57052 https://bugzilla.suse.com/1249112 SUSE Bug 1249112